[Zope] Zope security management
Karl Anderson
karl@digicool.com
20 Mar 2001 14:19:49 -0800
"Phil Harris" <phil.harris@zope.co.uk> writes:
> I agree with the fact that why bother with MD5 when SSL is available,
> however not everyone using Zope has that capability available to them.
Everybody who uses one of the free secure Apache servers has SSL
available to them; is this not the case for other servers that Zope
can run behind?
> For instance, I've recently seen a posting on slashdot.org where some people
> are questioning the pricing of SSL certificates, these people are living in
> Asia where the price of certificates equates to a few months salary.
That Slashdot discussion unsurprisingly only said half of the story.
SSL certs are free; becoming your own certificate authority and
signing your own certificates is free, and even documented by
mod_ssl. I have a personal zope site that protects BasicAuth with
SSL, and I didn't pay for any bits.
The only reason to pay for a CA to sign your cert is to have that CA
vouch that the cert is yours; Netscape accepts those certs without a
dialog box. There's probably other advangates, like insurance, as
well, I dunno. But thats what the official CAs provide; it's not
Zope's job.
This doesn't address the original problem - if you allow nonsecure
authorization to a page, eventually someone will forget to access it
via SSL and will send the password across in the clear. That's a
valid point. Personally, I'm paranoid that my browser or proxy will
send my credentials without being asked for, which IIRC they are
allowed to do; so once I send credentials to my site, I always use SSL
for other URLs. This is annoying, but wouldn't client certificates
solve this problem?
--
Karl Anderson karl@digicool.com