[Zope] - Secure Server

Kevin Dangoor kid@ans.net
Mon, 25 Jan 1999 09:51:47 -0500


Zope can be used in CGI or PCGI modes with a server that does SSL.
You're right about the possibility of someone sniffing the packets to
your webserver looking for user IDs and passwords if they are not
encrypted. However, if this is a concern to you, it is not just a problem when
the user enters the password. It is for *every hit* the user makes
to the server. The current implementations of HTTP do not allow for
long-lived connections, so the browser sends the user name and password
with each request. (The browser makes it so that the user only needs
to enter it once, though.)

Kevin

On Mon, Jan 25, 1999 at 09:14:38AM -0500, Robert OConnor wrote: 
,-----
[stuff deleted]
| The security hole that I see is entering ID
| and password at some remote site and after I
| leave, someone could reuse my ID and password
| for access because it's not encrypted between
| the browser and zope server.
| 
| I understand that SSL servers are slowed down
| but only ID/Passwords need be SSL and after
| that, during the session, SSL security doesn't
| have to be used.
| 
| I may not have a full understanding of this.
| Please enlighten me!
| 
| -bobo connor
| 
| 
`-----

-- 
Kevin Dangoor
kid@ans.net / 734-214-7349