Oliver Bleutgen wrote:
One thing that bothers me is that I cannot reliably (as in "in a generic way which always works") prevent users from sending their authentication unencrypted.
Well its true you can't prevent users from compromising their credentials, but you can prevent users from coming in the wrong door, as it were. I'm not clear on which one you really hope to accomplish, though from your proposed modifications it looks like the latter. Preventing users from compromising their creds can only be effectively done through education. For example, even if you used client certificates (which, afaik, are only used once an encrypted channel has been established) instead of basic auth there's nothing to stop a user from giving their cert and any requisite ancillary usage information (like the passphrase to decrypt it) to somebody else.
The only ideas I have to tackle this without modifying zope itself are
- customize all pages which need authentication to check for "https://" in one of the relevant REQUEST attributes and do a redirect if not. - use apache with some magic to trigger redirection if it encounters authentication headers in the request. - use apache with some rewrite magic trigger redirection when a substring like "manage" is found in the request.
These alternatives are neither elegant, nor really secure.
I would agree the first two aren't sane, the third however is as good and as secure as you're going to get. Techniques for accomplishing it have been discussed on the zope list before and are undoubtedly in the archives. The mods you've posted with respect to guarding the WWW-Authenticate header aren't likely to work, and certainly wouldn't be flexible enough to allow, for example, mandating SSL usage for all /manage* requests while allowing clear-text basic auth for other restricted areas. Apache rewrite rules OTOH are flexible enough to allow this. I'm unclear as to why you consider it to be insecure, care to elaborate? -- Jamie Heilman http://audible.transient.net/~jamie/ "Most people wouldn't know music if it came up and bit them on the ass." -Frank Zappa