is there a way to run all the /manage pages behind SSL, so they're less prone to password sniffing? or to rename /manage to something a little more obscure? it just seems to me that the /manage URLs are just waiting to be exploited by some cracker.
There are a couple of different things that could make Zope a bit more secure. - Be able to disable the superuser account (or rename, erase it) - Change the port on which /manage runs (Web Admin does this very nicely) - Be able to lock it down by IP address (only certain IP addresses can access /manage) - SSL - Force strong passwords (10 chars at least 1 number, 1 cap, 1 symbol, now words) I know all of this is way on the back burner but it is something to consider. There also might be easy "Zopish" ways to do all of this. J