[dm-crypt] Several issues with cryptsetup 2.0.0

curve25519 at mailbox.org curve25519 at mailbox.org
Sun Jan 14 16:00:08 CET 2018


>> But first I have a question related to the mailing list:
>> How is it possible that the dm-crypt mailing list web interace and admin
>> panel can't be accessed via a secure TLS or at least some broken old
>> SSL connection? As in: can somebody please fix this?
> 
> You seem to be the first one that cares. As the admin 
> functionality is accessible via email, do you actually 
> have a credible attack model for this?
> 
>From a user perspective it's impossible to know if the admin actually
uses this feature. Additionally password reuse by the users could very
well be abused by a passive listener in a privilidged network position.

Considering the content and target audience password reuse may not be
extremely common, but the kind of parties interested in people
subscribing to such lists leads me to believe that at the very least
passive listening has to be assumed.

Another imo valid reason would be the impression it makes on others. How
can we as the security community credibly teach others and ask of them
to use Letsencrypt, encrypt their harddrives, protect their user data
etc. and then hold ourselves to such low standards?

Please don't take this as an attack, I just wanted to point something
out which appeared borderline ironic from an outsider perspective
considering the community and the amount of work needed to fix it.

Kind regards

Curve


More information about the dm-crypt mailing list