[Zope] Zope security management

Phil Harris phil.harris@zope.co.uk
Tue, 20 Mar 2001 15:38:31 -0000


Hi Zope newbie,

I agree with the fact that why bother with MD5 when SSL is available,
however not everyone using Zope has that capability available to them.

For instance, I've recently seen a posting on slashdot.org where some people
are questioning the pricing of SSL certificates, these people are living in
Asia where the price of certificates equates to a few months salary.

Others are using hosting services which do not offer SSL as an option.

For these people MD5 is an obvious second choice, obviously not as strong,
but still an alternative.

As for myself, I use SSL.

Phil
phil.harris@zope.co.uk

----- Original Message -----
From: "The Famous Brett Watson" <famous@nutters.org>
To: <zope@zope.org>
Sent: Tuesday, March 20, 2001 2:04 PM
Subject: Re: [Zope] Zope security management


> [Say 'hi' to the Zope newbie, everyone.]
>
> I'd like to put in my 2c worth regarding the security management
discussion
> with particular reference to the encryption side of things, then I have a
> small question.
>
> Whilst it would be possible to do encrypted authentication with forms and
> Javascript that does a one-way hash (like MD5) using a challenge-response
> type of protocol, I agree with the previous poster who said that this
would
> not be worth it when SSL is an option.
>
> SSL can be obtained (I believe) without the overhead of Apache by using an
> SSL wrapper. There is a program available (it's in Debian, for example)
> called "sslwrap" which negotiates SSL connections and then forwards the
> unencrypted content somewhere else. If you forward to the local host, then
> the unencrypted data does not travel over the network. The main
disadvantage
> here is that Zope thinks all such connections originate at the local host,
> and your server logs become somewhat less interesting for that fact.
>
> What I prefer to do personally, when remotely managing my site, is to use
> SSH tunnels. I ssh to my Zope-box, then forward port 8080 to
> 127.0.0.1:zope-port at the other end. This also has the effect that all
> connections appear to come from the local host, but I use this fact to
> advantage. First, it allows me to filter out my own administrative
accesses
> from the server log with ease, leaving actual "customer page views"
behind.
> Second, as an added security measure I specify "localhost" as the domain
for
> my administrative account. This prevents anyone from accessing the account
> without first gaining access via ssh.
>
> My question: am I right in believing that "localhost" in the /domains/
field
> of the user form has this effect? It seems to, but all the examples show
> right-hand-parts of domains rather than hostnames.
>
> Note that giving ignorant end-users ssh access does not mean you also have
> to give them shell access. It's possible to launch them into a menu-driven
> system, and the ssh tunnels will still work. Tera Term is a good free
Win32
> telnet client that has an ssh extension available for it.
>
> Regards,
> TFBW
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )