On Wed, 6 Jun 2001, Ragnar Beer wrote:
And that's why you shouldn't allow access to the management interface via HTTP. (I just wonder why there is a *separate* ZServer with SSL
This is of not much help. Prying admin who already has access to filesystem will just hack Zope and get passwords mailed to him, SSL or no SSL - right from Zope.
Oleg.
Absolutely right. I wasn't referring to sniffing admins here but to sending plaintext passwords over HTTP in general.
This has nothing with encryprint passwords in ZODB. You want - and I completeley agree - that we need encrypted browser<=>server sessions... well there is Apache+SSL. Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.