RE: [Zope] passwords TTW - security hole?
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Bill > Welch > Sent: Monday, December 18, 2000 11:03 AM > To: [EMAIL PROTECTED] > Subject: [Zope] passwords TTW - security hole? > > > AFAIK, inputs of type password are sent to the server as plain text. In > Login Manager, for example, that would mean that passwords are exposed > every time someone logs in. In User Folder, the passwords would be exposed > whenever they're changed. It's even worse than every time someone logs in. With HTTP Basic Authentication, the username and password are sent with every Web request. This means that after authentication, for each and every page you visit and every image and file you request, you're username and password is sent. > If my interpretation is correct, then it seems to me to be a call for > out-of-the-box ssl support in zope. That would be nice, or at least some authentication method that is more secure. However, I'm not sure what, if any, secure-ish authentication method popular browsers support. It's not hard to use Zope through Apache with SSL support for those that are running Apache, but I know not everyone is doing that. ___ Ron Bickers Logic Etc, Inc. [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] passwords TTW - security hole?
On Mon, Dec 18, 2000 at 04:02:45PM +, Bill Welch wrote: > AFAIK, inputs of type password are sent to the server as plain text. In > Login Manager, for example, that would mean that passwords are exposed > every time someone logs in. In User Folder, the passwords would be exposed > whenever they're changed. You are right, of course. But also note that authentication will send the password in the almost-clear. It is only Base64 encoded. Most Unixes come with a base64 decoder installed by default; Python has a handy base64 module too. Hell, I can decipher base64 encoded text by hand if I have to. This is a common problem with any website. > If my interpretation is correct, then it seems to me to be a call for > out-of-the-box ssl support in zope. There is an SSL product available for Zope, search Zope.org. Adding SSL to the standard Zope disto has been considered, but kept off for several reasons, all of which I didn't personally partake in. You could always start a Fishbowl proposal of course, and see if yo ucan get it past Brian Lloyd, the Zope product manager. :) -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )