[Zope] Question about Zope and security
Cyrille Bonnet
cyrille at 3months.com
Wed Mar 29 21:43:43 EST 2006
Hi there,
I have been telling all my clients about how great Zope is for security:
fine-grained permissions, security framework, roles, etc.
Now, one of my clients has a security expert who took a close look at
how Zope authenticates users. The results were not good.
The main problem is that Zope stores the username and password in a
cookie in clear text (base64 encoded).
Even though it only happens in their internal network, my client wasn't
too happy, because it makes them vulnerable to a man-in-the-middle attack.
I know, the odds of that happening are low, but storing the username and
password in clear text is clearly not best practice.
So, my question is: is there a way to secure Zope authentication?
I did find Dieter Mauer's DigestAuth product:
http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth
It looks good. I have used other produts from Dieter before and was very
pleased with the quality of his code.
Now, have other people used it? Does it work with WebDAV? How secure is
it (I am no security/encryption expert)?
Also, if it is good, why is not part of default Zope??
Finally, a little side story: you know how in Windows XP, you can
connect a drive to a WebDAV server? Well, if you install Service Pack 2,
you can't use that feature to connect to Zope anymore. Interestingly
enough, it seems that it is precisely because of that authentication
vlunerability: Win XP SP2 refuses to connect to a WebDAV that doesn't at
least encode the username/password in Digest authentication...
Any comment or pointers are very welcome.
Cyrille
More information about the Zope
mailing list