Re: [Zope] Question about Zope and security
Cyrille Bonnet wrote at 2006-3-30 14:43 +1200: > ... >I did find Dieter Mauer's DigestAuth product: >http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth > >It looks good. I have used other produts from Dieter before and was very >pleased with the quality of his code. > >Now, have other people used it? Does it work with WebDAV? It should work with WebDAV, provided the WebDAV client supports HTTP Digest Authentication. >How secure is >it (I am no security/encryption expert)? The corresponding RFC (RFC 2617) explains in detail how secure the basic mechanism is. My "DigestAuth DigestAuthCrumber" adds a bit of insecurity: * the passwords must be stored (inside Zope (!) not in the request) in plain text. This could be improved a bit, either by - using two way encryption -- but Zope must be able to get the plain text password back. - fixing the domain and using storing the "MD5" hash of username, password and domain instead of the plain text password. Other authentication schemes would then need to be changed -- to use the same "MD5" hash. >Also, if it is good, why is not part of default Zope?? There are two sides of an answer: the Zope developpers/maintainers side and my side. Adding even a good package to the core means a (rather) long term commitment to support and maintain this package. When you follow "comp.lang.python" (or the corresponding mailing list), you see how reluctant the Python developpers are to include additional packages into the Python core -- to avoid these responsibilities. The Zope maintainers are even stricter: they look what they can get rid of rather than what they can include On my side: developping for the Zope core imposes much more overhead than developping independently: I would have to make a proposal, follow (partially stupid) style guides, add more tests (than necessary to convince me that the quality is sufficient)... Thus, I am reluctant to develop for the Zope core. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
+---[ bruno desthuilliers ]-- | Cyrille Bonnet wrote: | > Hi there, | > | > I have been telling all my clients about how great Zope is for security: | > fine-grained permissions, security framework, roles, etc. | > | > Now, one of my clients has a security expert who took a close look at | > how Zope authenticates users. The results were not good. | > | > The main problem is that Zope stores the username and password in a | > cookie in clear text (base64 encoded). | | *Zope* don't do that. It's the (infamous) CookieCrumbler products that | is responsible for this horror. Lots of UserFolders do this by default for compatibility reasons. CookieCrumbler is just following a long tradition. It's EXACTLY the same as what you get with Basic Auth. exUserFolder has a mode uses a random hash for cookies (I'm sure other UserFolders have this option as well). But as others have said, if you're posting to a form and not using https, what's the point. -- Andrew Milton [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
Cyrille Bonnet wrote: > Hi there, > > I have been telling all my clients about how great Zope is for security: > fine-grained permissions, security framework, roles, etc. > > Now, one of my clients has a security expert who took a close look at > how Zope authenticates users. The results were not good. > > The main problem is that Zope stores the username and password in a > cookie in clear text (base64 encoded). *Zope* don't do that. It's the (infamous) CookieCrumbler products that is responsible for this horror. > Even though it only happens in their internal network, my client wasn't > too happy, because it makes them vulnerable to a man-in-the-middle attack. > > I know, the odds of that happening are low, but storing the username and > password in clear text is clearly not best practice. That's an understatement. > So, my question is: is there a way to secure Zope authentication? yes : use https. -- bruno desthuilliers développeur [EMAIL PROTECTED] http://www.modulix.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
On 3/30/06, Cyrille Bonnet <[EMAIL PROTECTED]> wrote: > The main problem is that Zope stores the username and password in a > cookie in clear text (base64 encoded). As mentioned before, Zope doesn't, but CookieCrumbler (and hence Plone) does. And, the security expert is not much of a security expert at all, if he doesn't know this: You will only get real web security with SSL. > Even though it only happens in their internal network, my client wasn't > too happy, because it makes them vulnerable to a man-in-the-middle attack. All plain http is vulnerable to that, which is why If you care about security, you need to use https. > So, my question is: is there a way to secure Zope authentication? Yup. See above. :) > Also, if it is good, why is not part of default Zope?? Good question. :-) However, today you want to use PAS. The new fancy modular user folder for Zope. I don't know if it works with Plone yet, though. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
Cyrille Bonnet wrote: > Hi there, > > I have been telling all my clients about how great Zope is for security: > fine-grained permissions, security framework, roles, etc. > > Now, one of my clients has a security expert who took a close look at > how Zope authenticates users. The results were not good. > > The main problem is that Zope stores the username and password in a > cookie in clear text (base64 encoded). No, zope does not do that. There are userfolders and extensions (like cookie crumbler) which do that. You can have any mechanism you want. > Even though it only happens in their internal network, my client wasn't > too happy, because it makes them vulnerable to a man-in-the-middle attack. So does it? With ssl layer? > I know, the odds of that happening are low, but storing the username and > password in clear text is clearly not best practice. Sure you have to take care - but enabling some kind of digest auth (below) isnt that hard - otoh, your password will be transfered over the net in clear text in many cases - if you have a form based login you will for sure transfer clear text username and password. You could try javascript tricks to put digest like authentication in a form based login, but thats not so easy and bullet proof. And if you stress it too much you have great security - but no users :-) So if you are security concerned, just put an ssl-layer on top of zope. Usually via apache mod_ssl, mod_proxy and mod_rewrite. You can also use pound or squid. > So, my question is: is there a way to secure Zope authentication? > > I did find Dieter Mauer's DigestAuth product: > http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth Digest out - so your users browser support it, is a solution and better then basic-auth. However you dont have a nice login form and you cant logout. > It looks good. I have used other produts from Dieter before and was very > pleased with the quality of his code. > > Now, have other people used it? Does it work with WebDAV? How secure is > it (I am no security/encryption expert)? WebDAV is just HTTP, so all you apply to it holds true for WebDAV as well - beside the fact you cant have login forms. So basic auth or digest auth can be used and can be secured via ssl. > Also, if it is good, why is not part of default Zope?? Cookie auth isnt part of default zope either. > Finally, a little side story: you know how in Windows XP, you can > connect a drive to a WebDAV server? Well, if you install Service Pack 2, > you can't use that feature to connect to Zope anymore. Interestingly > enough, it seems that it is precisely because of that authentication > vlunerability: Win XP SP2 refuses to connect to a WebDAV that doesn't at > least encode the username/password in Digest authentication... > Yes, MS never gets it right with official standards. You can patch around to make it work with the windows of the day, but you might need to change it next time again. However you can use 3rd party products like WebDrive/TeamDrive which have been reported to work flawlessy since the early days of zopes webdav support. Kind regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Question about Zope and security
Cyrille Bonnet wrote: The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded). Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack. I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice. So, my question is: is there a way to secure Zope authentication? Stock Zope doesn't use cookie authentication, so you're actually talking about an alternate user folder product (which you don't specify and I don't know that many of them, so I can't really comment much -- except that SimpleUserFolder with CookieCrumbler will indeed put you in this situation (or did the last time I checked)). The fact that Zope stores passwords as plain text is not the issue if you're worried about man-in-the-middle attacks, though. The problem there is that you are passing passwords plain text in the request, and there is almost no way around that unless you run an SSL (HTTPS) server. Which you should if you want real security. Encrypting your password database without moving your server login to HTTPS is only going to create inconvenience without improved security (you can no longer send password reminders, for example) -- it's a false sense of security. So, IMHO, secure the server, then worry about password databases. Cheers, Terry ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Question about Zope and security
Hi there, I have been telling all my clients about how great Zope is for security: fine-grained permissions, security framework, roles, etc. Now, one of my clients has a security expert who took a close look at how Zope authenticates users. The results were not good. The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded). Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack. I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice. So, my question is: is there a way to secure Zope authentication? I did find Dieter Mauer's DigestAuth product: http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth It looks good. I have used other produts from Dieter before and was very pleased with the quality of his code. Now, have other people used it? Does it work with WebDAV? How secure is it (I am no security/encryption expert)? Also, if it is good, why is not part of default Zope?? Finally, a little side story: you know how in Windows XP, you can connect a drive to a WebDAV server? Well, if you install Service Pack 2, you can't use that feature to connect to Zope anymore. Interestingly enough, it seems that it is precisely because of that authentication vlunerability: Win XP SP2 refuses to connect to a WebDAV that doesn't at least encode the username/password in Digest authentication... Any comment or pointers are very welcome. Cyrille ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )