Ragnar Beer wrote:
snip
Of course it would not help against a prying administrator. It's plain simple to sniff the passwords from HTTP traffic.
Regards, Frank
And that's why you shouldn't allow access to the management interface via HTTP. (I just wonder why there is a *separate* ZServer with SSL capabilities and why SSL isn't simply integrated into the standard ZServer. Does anybody know?) I simple 'Deny from all' all accesses to any url containing 'manage' on port 80 so that noone accidentally sends a password in cleartext.
perhaps a more user friendly solution would be to redirect/rewrite/... :80/manage to :443/manage I don't know by heart how to do this in apache, but if I find it I'll post it to the list.
Ragnar
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )