"Phil Harris" <phil.harris@zope.co.uk> writes:
I agree with the fact that why bother with MD5 when SSL is available, however not everyone using Zope has that capability available to them.
Everybody who uses one of the free secure Apache servers has SSL available to them; is this not the case for other servers that Zope can run behind?
For instance, I've recently seen a posting on slashdot.org where some people are questioning the pricing of SSL certificates, these people are living in Asia where the price of certificates equates to a few months salary.
That Slashdot discussion unsurprisingly only said half of the story. SSL certs are free; becoming your own certificate authority and signing your own certificates is free, and even documented by mod_ssl. I have a personal zope site that protects BasicAuth with SSL, and I didn't pay for any bits. The only reason to pay for a CA to sign your cert is to have that CA vouch that the cert is yours; Netscape accepts those certs without a dialog box. There's probably other advangates, like insurance, as well, I dunno. But thats what the official CAs provide; it's not Zope's job. This doesn't address the original problem - if you allow nonsecure authorization to a page, eventually someone will forget to access it via SSL and will send the password across in the clear. That's a valid point. Personally, I'm paranoid that my browser or proxy will send my credentials without being asked for, which IIRC they are allowed to do; so once I send credentials to my site, I always use SSL for other URLs. This is annoying, but wouldn't client certificates solve this problem? -- Karl Anderson karl@digicool.com