[Zope] Major security flaw in Zope 2.3.2

Frank Tegtmeyer fte@lightwerk.com
Wed, 6 Jun 2001 15:42:15 +0200


On Wed, Jun 06, 2001 at 08:40:44AM -0500, Farrell, Troy wrote:
> That's all well and good, but users should be able to reasonably expect that
> their passwords be secure from prying administrators.

Of course that's a valid point and I was not arguing against it.
I only picked the most problematic part of the scenario.

In fact one way encryption is cheap and available everywhere, so it
should be no problem to integrate it.

Of course it would not help against a prying administrator. It's plain
simple to sniff the passwords from HTTP traffic.

Regards, Frank