Zope/Plone logon security strategy etc
Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page. My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc. Thanks Michael
michael nt milne schrieb:
Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page.
My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc.
I wonder what you mean. Could you outline a way how you believe it should work? What are your concerns about security exactly? With zope you have security down to individual object attributes. Each time you access an attribute and dont have sufficient rights, you are presented with some way to login (the exact apearance however depends on the userfolder you use). So how do you think it should work instead and what are the improvements you see as well as the drawbacks? Regards Tino Wildenhain
On 25 Jan 2006, at 17:17, michael nt milne wrote:
Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page.
My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc.
This login page is not a Zope login page, it is a Plone/CMF login page. It does not reflect any architectural decisions on the Zope side. jens
Hi Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites. Just slightly concerned about this as I plan to have a few sites set-up on one server, with client logins and have to advise on security. I know that Apache SSL can help but it's a tricky extra step and I only need to secure the login areas at the moment, not encrypt a whole site. Thanks Michael On 1/25/06, Jens Vagelpohl <jens@dataflake.org> wrote:
On 25 Jan 2006, at 17:17, michael nt milne wrote:
Just a quick question about Zope/Plone logins and security etc. When I go to www.domain.com:8080/manage I get a login box which seems to function in exactly the same way as the www.domain.com:8080/login_form page.
My question is, what was the rational for implementing this logon strategy in Zope as it obviously acts as authentication and authorisation but falls down on confidentiality and data integrity? Also would there be any plans at all in the future to make this logon process authenticate, be confidential and have integrity? I know that you can do it in Apache etc but for most people that's probably quite a big step. Most people probably reckon that the appearance of the logon box makes their site secure. I'm only talking about the logon areas here, etc.
This login page is not a Zope login page, it is a Plone/CMF login page. It does not reflect any architectural decisions on the Zope side.
jens
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On 25 Jan 2006, at 18:55, michael nt milne wrote:
Hi
Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.
Just slightly concerned about this as I plan to have a few sites set-up on one server, with client logins and have to advise on security. I know that Apache SSL can help but it's a tricky extra step and I only need to secure the login areas at the moment, not encrypt a whole site.
You should read up on HTTP authentication and cookie authentication, I sense some severe knowledge gaps there... jens
Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc. On 1/25/06, Jens Vagelpohl <jens@dataflake.org> wrote:
On 25 Jan 2006, at 18:55, michael nt milne wrote:
Hi
Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.
Just slightly concerned about this as I plan to have a few sites set-up on one server, with client logins and have to advise on security. I know that Apache SSL can help but it's a tricky extra step and I only need to secure the login areas at the moment, not encrypt a whole site.
You should read up on HTTP authentication and cookie authentication, I sense some severe knowledge gaps there...
jens
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
michael nt milne schrieb:
Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc.
You want ssl for all. There is no security if you have "logon" encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login "encrypted" and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really "an extra step" because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope. As for the security aspect, a cooky with auth credentials is equally "secure" as Basic Auth. There is really not much of a difference - just other HTTP header-name. Regards Tino
Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good. On 1/25/06, Tino Wildenhain <tino@wildenhain.de> wrote:
michael nt milne schrieb:
Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc.
You want ssl for all. There is no security if you have "logon" encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login "encrypted" and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really "an extra step" because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope.
As for the security aspect, a cooky with auth credentials is equally "secure" as Basic Auth. There is really not much of a difference - just other HTTP header-name.
Regards Tino
michael nt milne schrieb:
Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good.
Yes you can do that. There are patches to use SSL directly w/ the ZServer. But usually its by far not worth the trouble. Apache or pound as frontend proxy are easy to setup and ease management and load balancing.
Tino Wildenhain wrote:
michael nt milne schrieb:
Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good.
Yes you can do that. There are patches to use SSL directly w/ the ZServer. But usually its by far not worth the trouble. Apache or pound as frontend proxy are easy to setup and ease management and load balancing. _
Tino + 1 And heres a link to info re: ZopeSSL setup: http://www.zope.org/Members/Ioan/ZopeSSL I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x). David
David wrote:
I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x).
For SSL and HTTP sanitisation, I wouldn't trust anything that doesn't get the snot pounded out of it my millions of users on a daily basis. For me, that means for anything other than development on a private network, Apache sits in front of Zope. I'm not even sure I trust Squid yet ;-) Pound? ZopeSSL? Don't make me laugh ;-) As for this whole auth discussion, it depends on what your risks are. If you're serious, client certificate auth with Apache for every single request, and plenty of user education to explain exactly what that padlock means and why you need to click on it and read it every single session you start. I suspect in this case, a simple cookie auth scheme that uses _ZopeId as its token will be more than secure enough for your needs... Chris - security is HARD. No really, it's hard. Seriously, stop thinking you understand it, you don't, I don't, and likely no-one else around here does either ;-) -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk
michael nt milne wrote at 2006-1-25 18:55 +0000:
Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.
You might be interested in my "DigestAuth" product. It provides HTTP DigestAuthentication for Zope. Of course, HTTP authentication gives you less freedom than other forms of authentication (as the browser does the login). These other forms can be made safer by the use of "https". -- Dieter
Hi Dieter I've installed DigestAuth. Just wondering if there are any set-up instructions at all? Thanks Michael On 1/26/06, Dieter Maurer <dieter@handshake.de> wrote:
michael nt milne wrote at 2006-1-25 18:55 +0000:
Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.
You might be interested in my "DigestAuth" product. It provides HTTP DigestAuthentication for Zope.
Of course, HTTP authentication gives you less freedom than other forms of authentication (as the browser does the login). These other forms can be made safer by the use of "https".
-- Dieter
-- Michael
PS I won't be using this with SSL obviously. Good to use it to secure login areas where the other content doesn't require SSL. On 2/15/06, michael nt milne <michael.milne@gmail.com> wrote:
Hi Dieter
I've installed DigestAuth. Just wondering if there are any set-up instructions at all?
Thanks
Michael
On 1/26/06, Dieter Maurer <dieter@handshake.de> wrote:
michael nt milne wrote at 2006-1-25 18:55 +0000:
Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites.
You might be interested in my "DigestAuth" product. It provides HTTP DigestAuthentication for Zope.
Of course, HTTP authentication gives you less freedom than other forms of authentication (as the browser does the login). These other forms can be made safer by the use of "https".
-- Dieter
-- Michael
-- Michael
participants (6)
-
Chris Withers -
David -
Dieter Maurer -
Jens Vagelpohl -
michael nt milne -
Tino Wildenhain