[Zope] passwords TTW - security hole?

Ron Bickers rbickers@logicetc.com
Mon, 18 Dec 2000 17:53:41 -0500


> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Bill
> Welch
> Sent: Monday, December 18, 2000 11:03 AM
> To: zope@zope.org
> Subject: [Zope] passwords TTW - security hole?
>
>
> AFAIK, inputs of type password are sent to the server as plain text. In
> Login Manager, for example, that would mean that passwords are exposed
> every time someone logs in. In User Folder, the passwords would be exposed
> whenever they're changed.

It's even worse than every time someone logs in.  With HTTP Basic
Authentication, the username and password are sent with every Web request.
This means that after authentication, for each and every page you visit and
every image and file you request, you're username and password is sent.

> If my interpretation is correct, then it seems to me to be a call for
> out-of-the-box ssl support in zope.

That would be nice, or at least some authentication method that is more
secure.  However, I'm not sure what, if any, secure-ish authentication
method popular browsers support.  It's not hard to use Zope through Apache
with SSL support for those that are running Apache, but I know not everyone
is doing that.

_______________________

Ron Bickers
Logic Etc, Inc.
rbickers@logicetc.com