[Zope] Major security flaw in Zope 2.3.2
Hannu Krosing
hannu@tm.ee
Thu, 07 Jun 2001 00:00:44 +0500
Jerome Alet wrote:
>
> I understand that there's the problem of existing third party products
> which may expect unencrypted passwords: just do it anyway and inform
> people. I suppose there won't be hundreds of such third party products.
>
> Just do a poll: does any reader of this list expects such a bad
> behavior in his own Zope products ?
Afaik, the only bad behaviour from hashing (_not_ encrypting) the
passwords
would be the impossibility to use password verification methods that
don't
send cleartext passwords over the wire (challenge-response password
exchange).
But as the preferred method for avoid password sniffing is using ssl
anyway I
don't think it is too much of a problem.
-----------------
Hannu