[Zope] Re: Question about Zope and security

Cyrille Bonnet cyrille at 3months.com
Wed Mar 29 22:34:48 EST 2006 

Hi Terry,

thanks for your comment.

> Stock Zope doesn't use cookie authentication, so you're actually talking 
> about
> an alternate user folder product (which you don't specify and I don't 
> know that
> many of them, so I can't really comment much -- except that 
> SimpleUserFolder
> with CookieCrumbler will indeed put you in this situation (or did the 
> last time
> I checked)).

I am using Plone 2.1.2, which uses CookieCrumbler. I wanted to put the 
problem in a Zope perspective, though: this is why I didn't mention that.

> 
> The fact that Zope stores passwords as plain text is not the issue if 
> you're worried
> about man-in-the-middle attacks, though. The problem there is that you 
> are passing
> passwords plain text in the request, and there is almost no way around 
> that unless you run an SSL (HTTPS) server.  Which you should if you want 
> real security.
> 

Sorry, I wasn't even aware that Zope stores the passwords in plain text. 
  My primary concern (for the moment) is passwords in plain text in the 
request.

I had thought of SSL, but it doesn't solve the problem for WebDAV access.

I should also mention that the site is for the general public, with a 
few users logging in.

Of course, I can't put the public site on SSL, so I would have to have a 
separate URL for logged-in users with SSL. And I still have to worry 
about the ZMI and WebDAV access.

It seems so much simpler to solve the problem at the root: change Zope 
authentication.


> Encrypting your password database without moving your server login to HTTPS
> is only going to create inconvenience without improved security (you can no
> longer send password reminders, for example) -- it's a false sense of 
> security.
> 

Ouch, so on top of my concerns, passwords are stored in plain text?? 
Thanks for pointing that out.

I'd rather encrypt passwords with a hash and reset the password if the 
users have lost it. Is it possible to do that in Zope?

Obviously, I don't understand the ins and outs of Zope as well as most 
people on this list. So, my questions really are:

* why is Zope authentication implemented that way?
* Is it really complex to secure the authentication process?
* Is there any documentation summing up Zope security (authentication 
process, password storage, etc.)?

Cheers,

Cyrille

More information about the Zope mailing list