[Zope] Zope/Plone logon security strategy etc

[michael nt milne]

Hi

Yeah I know the security aspects are good once you are in, however
when you login it's possible for someone to grab your logon name and
pass as it goes over the internet, as there's no encryption at all.
Then obviously login themselves and compromise your sites.

Just slightly concerned about this as I plan to have a few sites
set-up on one server, with client logins and have to advise on
security. I know that Apache SSL can help but it's a tricky extra step
and I only need to secure the login areas at the moment, not encrypt a
whole site.

Thanks

Michael

On 1/25/06, Jens Vagelpohl <jens at dataflake.org> wrote:
>
> On 25 Jan 2006, at 17:17, michael nt milne wrote:
>
> > Just a quick question about Zope/Plone logins and security etc. When I
> > go to www.domain.com:8080/manage I get a login box which seems to
> > function in exactly the same way as the www.domain.com:8080/login_form
> > page.
> >
> > My question is, what was the rational for implementing this logon
> > strategy in Zope as it obviously acts as authentication and
> > authorisation but falls down on confidentiality and data integrity?
> > Also would there be any plans at all in the future to make this logon
> > process authenticate, be confidential and have integrity? I know that
> > you can do it in Apache etc but for most people that's probably quite
> > a big step. Most people probably reckon that the appearance of the
> > logon box makes their site secure. I'm only talking about the logon
> > areas here, etc.
>
> This login page is not a Zope login page, it is a Plone/CMF login
> page. It does not reflect any architectural decisions on the Zope side.
>
> jens
>
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>