[Zope-dev] How (in)secure is Zope?

Adrian van den Dries adriand@flow.com.au
Fri, 14 Mar 2003 09:19:55 +1100


On March 13, Lennart Regebro wrote:
> 2. Protecting yourself from packet snooping:
> Zope doesn't have any encryption built-in, SSL needs external software 
> to implement fro example.
> 
> In this sense Zope can be MADE secure with some work, but is not secure 
> at all out of the box.

Speaking of which, does anyone have any strategies for doing a
combination HTTP/HTTP-S setup, ie, where anonymous requests are HTTP,
and all authenticated requests are encrypted?

Specifically, Zope has no way of knowing beforehand that access to a
resource will throw an Unauthorized error, and when it does, it just
sends a WWW-Authenticate header, and the browser retries the request
with the supplied header.  We want to enforce that passwords are never
solicited without SSL.

One way is probably to use CookieCrumbler and hack it to rewrite
came_from so s/^http/https/.  Is there a way that doesn't require
hacking?

a.

-- 
 Adrian van den Dries                           adriand@flow.com.au
 Development team                               www.dev.flow.com.au
 FLOW Communications Pty. Ltd.                  www.flow.com.au