Zope can be used in CGI or PCGI modes with a server that does SSL. You're right about the possibility of someone sniffing the packets to your webserver looking for user IDs and passwords if they are not encrypted. However, if this is a concern to you, it is not just a problem when the user enters the password. It is for *every hit* the user makes to the server. The current implementations of HTTP do not allow for long-lived connections, so the browser sends the user name and password with each request. (The browser makes it so that the user only needs to enter it once, though.) Kevin On Mon, Jan 25, 1999 at 09:14:38AM -0500, Robert OConnor wrote: ,----- [stuff deleted] | The security hole that I see is entering ID | and password at some remote site and after I | leave, someone could reuse my ID and password | for access because it's not encrypted between | the browser and zope server. | | I understand that SSL servers are slowed down | but only ID/Passwords need be SSL and after | that, during the session, SSL security doesn't | have to be used. | | I may not have a full understanding of this. | Please enlighten me! | | -bobo connor | | `----- -- Kevin Dangoor kid@ans.net / 734-214-7349