Subject: Re: Those messages about "AUDITORY list edit URL From: John Lazzaro <lazzaro(at)CS.BERKELEY.EDU> Date: Sun, 15 Jul 2001 11:08:58 -0700> [dpwe writes] > > Thus, a > list member can go to the index, view their record, then, if they want > to change something but don't have a record of their passcode, they > can click the link and it will be sent to them. Anyone else could > click that link too, but it would only send a message to the > registered user. Dan and many list members know this already, but just to be clear here -- that email message, sent to the "registered user", can be snooped on its way to you by a moderately-talented and sufficiently-motivated attacker. In this application, its a perfectly sane tradeoff -- the amount of work needed to snoop the email isn't worth the thrill of changing the bio information of an auditory list member. But in general, be aware that unencrypted email is secure only by obscurity, and use an encryption package like PGP if you need real security. ------------------------------------------------------------------------- John Lazzaro -- Research Specialist -- CS Division -- EECS -- UC Berkeley lazzaro [at] cs [dot] berkeley [dot] edu www.cs.berkeley.edu/~lazzaro -------------------------------------------------------------------------