[Zope] browser security

Sam Gendler sgendler@impossible.com
Tue, 04 Jan 2000 12:25:35 -0800


Timothy Wilson wrote:

> Hi everyone,
>
> Here's a quick security question. I'm using ZServer w/ Apache.
>
> Someone pointed out to me today that it's possible to access a site like
> this:
>
> http://username:password@mysite.com/
>
> and the user is logged in automatically. Apparently there are cracking
> tools available that will attempt to guess passwords using this method
> thereby gaining access to the system.
>
> Is there any easy fix for this?

Yes and no.  This is no more or less secure than standard http authetication,
which sends the username and password in clear text in the http request
headers.  It is just as easy to build a cracking tool that sends an http request
with username/password guesses in it, as it is to build a tool that tells your
browser to go to an url with username/password in it.  If you really want secure
authentication, use SSL or digest authentication, which forces you to use Apache
and IE 5.0 until netscape supports digest auth.

--sam