Deprecate one-time ticket in terms of privacy protection

[ingo-laubenthal]

Sorry, I'm not sure, whether this is the right place for this request.
List admin in Germany received the following automatically generated email, which is, as I believe, critical in terms of privacy protection according to German and European law:

=====

"Von: SYMPA [mailto:sympa@list.ecogood.org] Gesendet: Samstag, 6. Januar 2018 23:38 An: karlsruhe@gemeinwohl-oekonomie.org Betreff: Zu Ihrer Information: warn-signoff Liste "karlsruhe-interessenten" von xxxxx@googlemail.com

WARNUNG: xxxxx@googlemail.com konnte nicht von karlsruhe- interessenten abgemeldet werden, da seine E-Mail-Adresse nicht in der Liste gefunden wurde. Über folgenden Link können Sie dieser Person helfen, in der Abonnentenliste nach ähnlichen E-Mail-Adressen zu suchen: http://list.ecogood.org/wws/ticket/08165878724540"

=====

To forward the above link to the owner of the email adress seems to enable this person to review the complete list of email-adresses, which is a breach of the other peoples right of privacy. This way sympa, as far as I can judge, is not compliant regarding 'data protection by design' required by the law and may risk high penalties. The same applies for organizations who use sympa.

---

[EDIT by admin] Below should be deprecated:

• [x] get_pending_list action in notification about created/renamed lists for listmaster.
• [x] search action in notification about failed unsubscriber for list owner.
• [x] modindex action in notification about held messages for list moderator.
• [x] family_signoff is documented. It should be rewritten not to use one-time ticket.
• [ ] sso_login/confirmemail action ditto.
• [ ] choosepasswd action ditto.

[ikedas]

Hi @ingo-laubenthal,

I personally think one-time ticket link is the bug in design. Because any people (not the list owners) received the message which contains such link can capture privilege of the owner, reviewing, adding and deleting subscribers. Furthermore, web account of owners themselves may be captured (I don't know if this feature is not compliant to the law).

So I'm planning to remove this feature from Sympa. However it will take for some time (weeks to months).

Regards, -- ikedas

[gallak]

issue confirmed on sympa 6.2.32. It's quite a problem because listmaster identities could be usurp by anyone. I think the ticket system should obey to the authentication system of sympa ( with SSO system wich are more and more used, re connection is less a problem) Otherwise, ticket link could be remove and user just receive a notification .

[adam12b1]

Bumping this old issue again, and not just for the privacy/legal concerns stated above.

More importantly for us, the one-time ticket system is completely broken by automated anti-malware link scanners (basically what was reported in https://github.com/sympa-community/sympa/issues/1464). For these users, a one-time ticket is always used up before they see it, so they can't complete password resets, or moderate messages via links, or...?!

I'm not sure exactly what the alternative is, but perhaps a one-time code like so many sites are using these days... is there any hope of a fix here soon?

[adam12b1]

Apologies for the nag, but one-time tickets for password resets are still being invalidated by anti-malware link scanners, so people with email hosted eg. on Outlook.com can't get their passwords and can't login. Is there any hope of replacing the one-time ticket system anytime soon?

(We are already using a custom action devised long ago by Steve Shipway to introduce a new confirmation step, so you have to click a button first before it tries to load the ticket, which helps in many cases. But apparently there is now a more aggressive flavor of link scanner that also clicks through the confirmation button and loads the ticket, so the problem remains.)