[Mailman-Users] Re: Security features of Mailman

2024-02-07 Thread Stephen J. Turnbull
Juergen Dollinger writes:

 > We tried encrypted lists some years ago. Have a look at
 > http://non-gnu.uvt.nl/mailman-pgp-smime/

Thank you for describing your experience!
The people side is always hard.  I'm not unhopeful though, but it's
going to take work, especially good design.

 > The idea is that there is a key for the list, the server decrypts
 > the E-mails and encrypts it for the recipients who have supplied a
 > key. Worked fine with that old version of Mailman 20 years ago.

That's exactly how I would do it, except you wouldn't receive posts
until you submitted a key.  Having half the copies vulnerable
on-the-wire and on-disk would not fill me with warm fuzzy feelings.
:-) 

I think this could be fairly useful in environments where people are
paranoid enough to leave the mail encrypted on disk.  But even the DV
case that I mentioned -- would it stay encrypted for long if a few of
the abusers discovered its existence?  It would only take one!

 > But even in our quite nerdy environment only about the half of the
 > subscribers submitted a key for the list. (excuses are like 'I want
 > to use grep(1) for fulltext search in my list E-mails')

Today I don't think that excuse would fly, machines are fast enough
that few email bodies would take noticable time to decrypt, and
languages like Python and Perl provide very high quality email
processing libraries.  p-grep-p would be written real fast, and it
would work fast too.

Steve
--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org


[Mailman-Users] Re: Security features of Mailman

2024-02-07 Thread Stephen J. Turnbull
rich...@karmannghia.org writes:

 > It's very straight-forward:

C'mon, man, Grandpa knows how to tie his shoes.  The construction of
such an encrypted list not technically terribly complex---as you said
yourself, a SMOC.  The problems are describing *who* is the adversary,
*what* will they do to invade your privacy, and *how* does the
proposed system thwart those threats.  You are completely ignoring
those questions.  And no, "unencrypted mail is a threat" to
"everybody" isn't a serious attempt to address them, given that almost
everyone is using MTAs that support TLS nowadays.

 > Subscribers who want encrypted email include their public key in
 > their subscription details,

What about the needs of *posters*, who are *at least* as important as
subscribers here, who want to keep *their* posts private?  That's why
"encryption-optional" lists make no sense to me, except as a proof of
concept.  And the prescription to greppers to leave their mail folders
unencrypted is not comforting to the authors, either.

I see vanishly small added security in an encryption-optional mailing
list of the kind Juergen described.  As a proof-of-concept, it was a
brave experiment that maybe could have led to something.  But it
didn't.

 > HOWEVER, just becasue ONE email list of a group who realized it was
 > there had that experience says NOT A THING about how many who
 > didn't know would love to have a list where users HAD to use
 > encryption to be on the list!
[...]
 > It's myopic to see just one's own use case and think it applies
 > across the board.

Round 'em up, man.  I listen to the community.  I'm listening to you.

 > Over my long and storied 47 year career in computer science I've long 
 > noted that the vast majority of users:
 > 
 > 1) Don't know what they really want;
 > 2) Don't have a clue what's easy and what's hard, and;
 > 3) Don't hang out on email lists like this one.

So?  I think they *do* know a very large fraction of what they want at
the level of expressing *requirements* (WIBNI ...).  Dealing with
what's easy and what's hard is our problem as developers, not theirs.
With that knowledge, we can help them refine and prioritize their
requirements, and sometimes discover new ones.  Convincing them that
we understand their requirements and know easy vs. hard is also our
problem.  And the lack of like-thinking users on mailing lists like
this one is a problem for advocates (like you?)

 > > But there are substantial technical hurdles to extreme
 > > requirements such as "end-to-end encryption" of list traffic.
 > 
 > That is abjectly false, Juergen proved it, and not only was it NOT
 > difficult 20 years ago, in the 20 years since then what's fairly
 > easily possible has expanded considerably.

Your definition of "end-to-end" is not the one in common use.  A
system where an intermediate node decrypts, then reencrypts and
forwards, is not "end-to-end encrypted" in any usage I've seen before,

It's really not useful to discuss technical issues if you won't at
least use the accepted definitions of such critical terms.  You're
welcome to argue that given the threats you perceive, it's not an
important requirement for an encrypted mailing list.  But given the
ease which which systems are penetrated these days, I disagree for
most purposes I can think of.

Steve

--
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@jab.org