On Wed, 19 Apr 2000, Joachim Werner wrote:
Having "native" SSL support in Zope surely would be a GOOD THING (tm). It just doesn't seem to be a very popular idea. I remember some previous threads about it on this list ...
But SSL wouldn't help with the password issue! Getting into an SSL-secured page by guessing the password isn't any harder than without SSL. The only advantage is that the password cannot be "sniffed", only guessed.
IMO that's a significant advantage for the paranoid---- if you're across the country in a hotel room editing your Zope site, and some script kiddie is running a sniffer on that hotel's network, well, the kiddie just got your password. If you were editing your site by using SSH to a straight-HTML server, the kiddie wouldn't get your password. If you were editing a Zope page that's running inside SSL, the kiddie wouldn't get your password. With a brute-force attack, your logs would at least show that someone was trying to crack a privileged account. If some script kiddie attaks your Zope site with a password gotten through a sniffer, you see one login, that's it, and your homepage now says, "I 4M 3733T, PH34R M3." But then again, this is why to back up Data.fs. srl