[Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Thu Feb 16 07:44:24 EST 2006 

sorry Chris but if I was 'retarded' as you indeed claim I wouldn't have been
able to achieve so much with Plone and Zope over the last 6 months. I've
gone from zero knowledge of the plaftorms to installing Zope, and Plone on a
Unix box from source (not easy and required a alot of perseverance), setting
up development, production and staging instances, setting up VirtualHosting
and a number of live production sites on the platform. Also I've done all
that on a windows box using Apache which is also running IIS (not easy to
work with). I've then installed SSL with virtual hosts. I'm still learning
obviously, but am happy with progress to date and I've taken lots of
advice. I've made mistakes sure but who doesn't. I've also been very vocal
in my praise of the platform and how powerful it is to many people in my
sphere. If you feel you would be better of without people who fit my profile
then you're cutting your own throat. And anyway 'retarded' is not so much
'statement of fact' as use of 'emotive language'.

Anyway I thought you weren't replying to any more of my posts? You lie. I'm
a troll remember.

> MSIE versions. You can work around these problems by forcing Apache
> not to use HTTP/1.1, keep-alive connections or send the SSL close
> notify messages to MSIE clients. This can be done by using the
> following directive in your SSL-aware virtual host section

So, have you actually followed this advice? What difference has it made?

*sigh*

>No I haven't as yet. Too busy elsewhere. I will try the access rule on
Plone first and then go for the IE rules in Apache. I'll get there in the
end. As I say there's another guy on the Plone list who can't post images
over SSL with IE so I'm speaking to him as well.

Michael


On 2/15/06, Chris Withers <chris at simplistix.co.uk> wrote:
>
> michael nt milne wrote:
> > Chris, back to throwing personal insults eh.
>
> It's not so much an insult as a statement of fact. Retarded means
> "slower", and given how slow you seem to be to "get" the stuff we're
> discussing, I think the shoe fits. Not necessarily meant as an insult,
> but if you want to take it as such, so be it...
>
> > refrain from 'gratuitous insults'. That's just going to turn people
> > away and harm the cause of Zope.
>
> Some people this community could do without. I have no doubt that you'd
> argue that I am one of those people. I, of course, feel the same about
> you ;-)
>
> >>> I hope you're making sure the "secure" bit is set on those cookies ;-)
> >
> > I take it this is a joke.
>
> Okay, so you don't want to bother reading specs eithers. Great. Go read
> up on the cookie spec, find out what the secure bit of a cookie does...
>
> > Plone uses cookie authentication by default.
>
> And Plohn is hideously insecure by default, what's your point?
>
> > You can't log in with out that.
>
> Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that's
> not anonymously accessible...
>
> > There are security risks there but
> > good user education with a strong password policy, no use of 'save
> > password' facilities and SSL is a start at least.
>
> Good luck, you're gonna need it...
>
> >>> Considering you can't even quote a response correctly, I somehow doubt
> > that..
> >
> > Oh come on.
>
> What? You're mail client put >>> in front of your previous post, which
> is faulty for the majority of mail clients used by people on this list.
> Fix it.
>
> >> Fine, don't take our advice, but don't expect help either.
> >
> > What because I don't take all your advice? That's a bit elitist and
> > also not good for growing the user base of Zope.
>
> You don't take anyone's advice on this list without bitching and whining
> about it...
>
> > And to finish on my problem with IE over SSL, I'll be implementing the
> > help found here. It's recognised that there are problems and bugs in
> > IE over SSL:
>
> Your problem will undoubtedly be that access_rule put in by the Plohn
> installer. Remove it, and I'll bet your problems go away. But hey, what
> do I know?
>
> > MSIE versions. You can work around these problems by forcing Apache
> > not to use HTTP/1.1, keep-alive connections or send the SSL close
> > notify messages to MSIE clients. This can be done by using the
> > following directive in your SSL-aware virtual host section
>
> So, have you actually followed this advice? What difference has it made?
>
> *sigh*
>
> Chris
>
> --
> Simplistix - Content Management, Zope & Python Consulting
>            - http://www.simplistix.co.uk
>
>


--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060216/95bd92e1/attachment.htm

More information about the Zope mailing list