[Zope] Major security flaw in Zope 2.3.2

Ellis, Neil (FNB) EllisN@fnb.co.uk
Thu, 7 Jun 2001 16:49:15 +0100 

Sorry if  I'm misunderstanding the current conversation.

The difference seems to be that a Mailman user is only dealing with e-mail
however a Zope user may be making purchases and therefore their password may
be more sensitive.

Many regards
Neil Ellis

> -----Original Message-----
> From:	barry@digicool.com [SMTP:barry@digicool.com]
> Sent:	07 June 2001 15:29
> To:	Joachim Werner
> Cc:	Jerome Alet; zope@zope.org
> Subject:	Re: [Zope] Major security flaw in Zope 2.3.2
> 
> 
> >>>>> "JW" == Joachim Werner <joe@iuveno-net.de> writes:
> 
>     JW> I am really not against encrypted passwords. DC should
>     JW> implement this soon.  AFAIK the only reason for passwords not
>     JW> being encrypted yet was that the encryption modules needed
>     JW> were not available for all platforms or so.
> 
> I'm coming in totally in the middle of this thread, and I only follow
> this list tangentially, but I thought I'd comment w.r.t. my experience
> in Mailman.
> 
> One reason to keep passwords in the clear is to provide a mail-back
> service when a user forgets his or her password.  If you store them in
> encrypted form, you can't really do this.  (You could store
> user-supplied hints and mail those back, but that doesn't seem to work
> to well in my experience.  I haven't seen any usability studies to say
> whether that's a useful approach or not.)
> 
> In Mailman, we keep user passwords in the clear so we can do the
> monthly password reminders.  However, the list admin passwords are
> kept as a sha1 hash - not in the clear.  That means that if a list
> admin forgets his password, it's up to the site admin to assign them a
> new password.  So far, this has been a workable trade-off.
> 
> We have the advantage that user passwords don't protect a highly
> valuable resource; the worst that can happen is that they'll get
> unsubscribed from a list.  Bad, but not catastrophic.  List and site
> admin passwords are more valuable, so they affort a higher degree of
> security (and necessarily, less convenience).
> 
> Side note: Mailman doesn't -- by default -- have SSL for its login
> pages, although I'm aware that some sites have augmented their Mailman
> installations to provide this.  It would probably be a good idea to
> someday bundled this functionality.
> 
> Cheers,
> -Barry
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )