[Zope] passwords TTW - security hole?

Martijn Pieters mj@digicool.com
Mon, 18 Dec 2000 17:29:14 +0100


On Mon, Dec 18, 2000 at 04:02:45PM +0000, Bill Welch wrote:
> AFAIK, inputs of type password are sent to the server as plain text. In
> Login Manager, for example, that would mean that passwords are exposed
> every time someone logs in. In User Folder, the passwords would be exposed
> whenever they're changed.

You are right, of course. 

But also note that authentication will send the password in the
almost-clear. It is only Base64 encoded. Most Unixes come with a base64
decoder installed by default; Python has a handy base64 module too. Hell,
I can decipher base64 encoded text by hand if I have to.

This is a common problem with any website.

> If my interpretation is correct, then it seems to me to be a call for
> out-of-the-box ssl support in zope.

There is an SSL product available for Zope, search Zope.org. Adding SSL to
the standard Zope disto has been considered, but kept off for several
reasons, all of which I didn't personally partake in.

You could always start a Fishbowl proposal of course, and see if yo ucan
get it past Brian Lloyd, the Zope product manager. :)

-- 
Martijn Pieters
| Software Engineer  mailto:mj@digicool.com
| Digital Creations  http://www.digicool.com/
| Creators of Zope   http://www.zope.org/
---------------------------------------------