-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Bill Welch Sent: Monday, December 18, 2000 11:03 AM To: zope@zope.org Subject: [Zope] passwords TTW - security hole?
AFAIK, inputs of type password are sent to the server as plain text. In Login Manager, for example, that would mean that passwords are exposed every time someone logs in. In User Folder, the passwords would be exposed whenever they're changed.
It's even worse than every time someone logs in. With HTTP Basic Authentication, the username and password are sent with every Web request. This means that after authentication, for each and every page you visit and every image and file you request, you're username and password is sent.
If my interpretation is correct, then it seems to me to be a call for out-of-the-box ssl support in zope.
That would be nice, or at least some authentication method that is more secure. However, I'm not sure what, if any, secure-ish authentication method popular browsers support. It's not hard to use Zope through Apache with SSL support for those that are running Apache, but I know not everyone is doing that. _______________________ Ron Bickers Logic Etc, Inc. rbickers@logicetc.com