On Mon, Dec 18, 2000 at 04:02:45PM +0000, Bill Welch wrote:
AFAIK, inputs of type password are sent to the server as plain text. In Login Manager, for example, that would mean that passwords are exposed every time someone logs in. In User Folder, the passwords would be exposed whenever they're changed.
You are right, of course. But also note that authentication will send the password in the almost-clear. It is only Base64 encoded. Most Unixes come with a base64 decoder installed by default; Python has a handy base64 module too. Hell, I can decipher base64 encoded text by hand if I have to. This is a common problem with any website.
If my interpretation is correct, then it seems to me to be a call for out-of-the-box ssl support in zope.
There is an SSL product available for Zope, search Zope.org. Adding SSL to the standard Zope disto has been considered, but kept off for several reasons, all of which I didn't personally partake in. You could always start a Fishbowl proposal of course, and see if yo ucan get it past Brian Lloyd, the Zope product manager. :) -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ ---------------------------------------------