Security: HTTPS for Discussion List Admin Pages & Web Email Admin Pages?


#1

Greetings.

I have had Mailman set up on my servers in the past, and have been able to configure it for https access for the admin pages. Would it be possible to setup Mailman on Dreamhost to at least accept https login?

And for managing the web email accounts, the “Mailbox Manager” is also HTTP only, no https. Could https be made available? Especially as the email password is used to access this page?

Thanks!


#2

Afraid not. The Mailman services are on a separate set of machines; we don’t have them set up to accept secure connections. (Since that’d require one unique IP for every mailing list and a bunch of SSL certificates and… ugh. Huge mess, and not worth it given that all the mail ends up going out over unencrypted SMTP anyway.)


#3

You only answered 1/2 the question above.

See http://apple.slashdot.org/story/12/02/12/1530252/southwest-airlines-iphone-app-unencrypted-vulnerable-to-eavesdroppers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot) for latest impact of unencrypted passwords over the internet.

You seriously think so?
Q1) Doesn’t mailman run on Apache?
Q2) Doesn’t Apache have the ability to determine which domain the incoming request is for and serve up the appropriate certificate?
Q3) a) If 1&2 are correct, can’t Apache be readily configured to serve up the Certificate the domain owner has purchased?
b) If 1 and/or 2 are wrong, I don’t think that the list owners would balk at using a Dreamhost certificate to protect the list passwords and help keep hackers & spammers off of our lists.

As for MailManager, having that as HTTP Only is even worse than what happened to Southwest Airlines and their webapp. See above questions.

NOTE: Webmail access gives:
"Invalid Certificate: The certificate is only valid for the following names:
webmail.dreamhost.com , www.webmail.dreamhost.com"
It’s not as if you are using domain specific certificates in all domain related areas currently. What I am really asking is to at a MINIMUM (more would be nice, but minimum would be good) is to secure all password protected pages at least with the Dreamhost SSL or TLS Certificates (preferably the latter).

-Steve


#4

Whoops, missed the second part. Will address that below.

Q1) Yes.

Q2/3) On a small scale, yes. However, it doesn’t work for any version of Internet Explorer on Windows XP; there’s also some limits on the number of virtual hosts that work well on a single server. You’d also have to buy a certificate for lists.yourdomain.com — the normal certificate is only good for the bare domain and “www”. As a result of this, we haven’t committed the engineering time to get these working under SSL yet.

[hr]

As far as Mailbox Manager goes — that’s an older app in our system; it’s not up to our current standards. We plan to fix it up soon.