[Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Wed Feb 15 04:40:45 EST 2006


Chris, back to throwing personal insults eh. I'll refrain from going
down that line as it's tedious and un-professional. You've obviously
not listened to the advice of your fellow peers on that front.
Everyone can take on a little advice and I've remarked previously that
I was wrong in my initial approach with this post which has now blown
out of all proportion and is to be honest a bit of a joke.

Security is hard and I'm getting my head round it. I'm also newish to
Zope and Plone and feel I've progressed pretty well in about 6 months
considering I do a full-time job too. It is a steep learning curve and
the more people that persevere with it the better.

Whilst I find the Zope and Plone lists generally fantastic. They're
the best user based lists I have experienced. However they're not
helped by the attitude displayed by you, Chris and your inability to
refrain from 'gratuitous insults'. That's just going to turn people
away and harm the cause of Zope.

To answer some of your points:


>>I hope you're making sure the "secure" bit is set on those cookies ;-)

I take it this is a joke. Plone uses cookie authentication by default.
You can't log in with out that. There are security risks there but
good user education with a strong password policy, no use of 'save
password' facilities and SSL is a start at least.

>>Considering you can't even quote a response correctly, I somehow doubt
that..

Oh come on.

>Fine, don't take our advice, but don't expect help either.

What because I don't take all your advice? That's a bit elitist and
also not good for growing the user base of Zope.


>>Sheesh, sorry, but I've come to the conclusion you're just trolling and
so won't be wasting my time with any more of your posts...

Well you're wrong on that one as well. You're probably just not suited
to helping out newer users. I wouldn't suggest customer service as a
second career..:-)

And to finish on my problem with IE over SSL, I'll be implementing the
help found here. It's recognised that there are problems and bugs in
IE over SSL:

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html

"The first reason is that the SSL implementation in some MSIE versions
has some subtle bugs related to the HTTP keep-alive facility and the
SSL close notify alerts on socket connection close. Additionally the
interaction between SSL and HTTP/1.1 features are problematic in some
MSIE versions. You can work around these problems by forcing Apache
not to use HTTP/1.1, keep-alive connections or send the SSL close
notify messages to MSIE clients. This can be done by using the
following directive in your SSL-aware virtual host section

 SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Further, some MSIE versions have problems with particular ciphers.
Unfortunately, it is not possible to implement a MSIE-specific
workaround for this, because the ciphers are needed as early as the
SSL handshake phase. So a MSIE-specific SetEnvIf won't solve these
problems. Instead, you will have to make more drastic adjustments to
the global parameters. Before you decide to do this, make sure your
clients really have problems. If not, do not make these changes - they
will affect all your clients, MSIE or otherwise."





On 2/14/06, Chris Withers <chris at simplistix.co.uk> wrote:
> Alexander Limi wrote:
> > On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen
> > <dario at ita.chalmers.se> wrote:
> >
> >> *HOWEVER*, IIRC, plone, especially on windows (if installed with the
> >> windows installer) uses a trick, which is not documented at all, as
> >> far as I know, uses a Site Access rule.
> >
> > http://plone.org/documentation/faq/multiple-sites-installers
> >
> > What part is not documented at all? :)
>
> *sigh*
>
> If it uses an Access Rule, it's likely still a dirty trick that will
> confuse retards like Michael, I'd suggest removing it...
>
> Chris
>
> --
> Simplistix - Content Management, Zope & Python Consulting
>             - http://www.simplistix.co.uk
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>


--
Michael


More information about the Zope mailing list