[Zope] Zope security management

Karl Anderson karl@digicool.com
20 Mar 2001 14:19:49 -0800


"Phil Harris" <phil.harris@zope.co.uk> writes:

> I agree with the fact that why bother with MD5 when SSL is available,
> however not everyone using Zope has that capability available to them.

Everybody who uses one of the free secure Apache servers has SSL
available to them; is this not the case for other servers that Zope
can run behind?

> For instance, I've recently seen a posting on slashdot.org where some people
> are questioning the pricing of SSL certificates, these people are living in
> Asia where the price of certificates equates to a few months salary.

That Slashdot discussion unsurprisingly only said half of the story.
SSL certs are free; becoming your own certificate authority and
signing your own certificates is free, and even documented by
mod_ssl.  I have a personal zope site that protects BasicAuth with
SSL, and I didn't pay for any bits.

The only reason to pay for a CA to sign your cert is to have that CA
vouch that the cert is yours; Netscape accepts those certs without a
dialog box.  There's probably other advangates, like insurance, as
well, I dunno.  But thats what the official CAs provide; it's not
Zope's job.

This doesn't address the original problem - if you allow nonsecure
authorization to a page, eventually someone will forget to access it
via SSL and will send the password across in the clear.  That's a
valid point.  Personally, I'm paranoid that my browser or proxy will
send my credentials without being asked for, which IIRC they are
allowed to do; so once I send credentials to my site, I always use SSL
for other URLs.  This is annoying, but wouldn't client certificates
solve this problem?

-- 
Karl Anderson                          karl@digicool.com