How secure are the authentication mechanisms used in Mailmans web interface?
A. If your Mailman installation run on an SSL-enabled web server (i.e. you access the Mailman web pages with “https://…” URLs), you should be as safe as SSL itself is. However, most Mailman installation run under standard, encryption-unaware servers. There’s nothing wrong with that for most applications, but a sufficiently determined cracker *could* get unauthorized access by: • Packet sniffing: The password used to do the initial authentication for any non-public Mailman page is sent as clear text over the net. If you consider this to be a big problem, you really should use an SSL-enabled server. • Stealing a valid cookie: After successful password authentication, Mailman sends a “cookie” back to the user’s browser. This cookie will be used for “automatic” authentication when browsing further within the list’s protected pages. Mailman employs “session cookies” which are set until you quit your browser or explicitly log out. Gaining access to the user’s cookie (e.g. by being able to
