The mailing list for listmasters using Sympa

[Dominic Hargreaves <address@concealed>]

On Thu, Mar 06, 2014 at 09:03:23AM -0800, Adam Bernstein wrote:
> >So the only solution I see is for you to encourage your users to change
> >for another anti-phishing solution or, at least, to switch the "links
> >visit functionnality" off.
> 
> For what it's worth, we've started seeing this problem with our
> users too - and we have no control at all over subscribers' email
> systems. Hundreds of clients host their lists on our server, and
> their lists contain hundreds or thousands of users from around the
> world, so there are at least two levels of disconnect between
> subscribers' choices and our ability to influence them.
> 
> We know one-time ticketing is in use in many places, and I see no
> obvious way on the server side to deal with this client-side issue
> of malware scanners, but I just wanted to chime in.  This is an
> issue we're going to see more of, and have no way of responding to.
> 
> But maybe, I don't know, could they be *two-time* tickets...?  (In
> fact, that would also help with another issue we see: people
> sometimes double-click the ticket link, thus accidentally blocking
> themselves.)

I suspect that the way to improve the situation is to not log people
in immediately but use the token as a way to allow people to reset their
passwords. This seems to be a more common way of doing things
than what Sympa currently does (based on [1] and my own experience). As a
result, you wouldn't have to delete the one time ticket before it's
actually been *used* which is at the point the password change form has
been POSTed to the server. One hopes that the agent which makes GET
requests on behalf of the user doesn't also go round randomly submitting
POST requests too :)

[1] <http://www.sympa.org/internals/internals-auth>

-- 
Dominic Hargreaves, Systems Development and Support Section
IT Services, University of Oxford, 13 Banbury Road, Oxford, OX2 6NN

Attachment: signature.asc
Description: Digital signature