[Zope] Re: Question about Zope and security

David H bluepaul at earthlink.net
Wed Mar 29 23:35:56 EST 2006


Cyrille Bonnet wrote:

> Hi Terry,
>
> thanks for your comment.
>
>> Stock Zope doesn't use cookie authentication, so you're actually 
>> talking about
>> an alternate user folder product (which you don't specify and I don't 
>> know that
>> many of them, so I can't really comment much -- except that 
>> SimpleUserFolder
>> with CookieCrumbler will indeed put you in this situation (or did the 
>> last time
>> I checked)).
>
>
> I am using Plone 2.1.2, which uses CookieCrumbler. I wanted to put the 
> problem in a Zope perspective, though: this is why I didn't mention that.
>
>>
>> The fact that Zope stores passwords as plain text is not the issue if 
>> you're worried
>> about man-in-the-middle attacks, though. The problem there is that 
>> you are passing
>> passwords plain text in the request, and there is almost no way 
>> around that unless you run an SSL (HTTPS) server.  Which you should 
>> if you want real security.
>>
>
> Sorry, I wasn't even aware that Zope stores the passwords in plain 
> text.  My primary concern (for the moment) is passwords in plain text 
> in the request.
>
> I had thought of SSL, but it doesn't solve the problem for WebDAV access.
>
> I should also mention that the site is for the general public, with a 
> few users logging in.
>
> Of course, I can't put the public site on SSL, so I would have to have 
> a separate URL for logged-in users with SSL. And I still have to worry 
> about the ZMI and WebDAV access.
>
> It seems so much simpler to solve the problem at the root: change Zope 
> authentication.
>
>
>> Encrypting your password database without moving your server login to 
>> HTTPS
>> is only going to create inconvenience without improved security (you 
>> can no
>> longer send password reminders, for example) -- it's a false sense of 
>> security.
>>
>
> Ouch, so on top of my concerns, passwords are stored in plain text?? 
> Thanks for pointing that out.
>
> I'd rather encrypt passwords with a hash and reset the password if the 
> users have lost it. Is it possible to do that in Zope?
>
> Obviously, I don't understand the ins and outs of Zope as well as most 
> people on this list. So, my questions really are:
>
> * why is Zope authentication implemented that way?
> * Is it really complex to secure the authentication process?
> * Is there any documentation summing up Zope security (authentication 
> process, password storage, etc.)?
>
> Cheers,
>
> Cyrille
>
> ___

Cyrille,

I am curious:  If HTTPS is a hassle, then what do your security experts 
have as a secure alternative?

All best,

David



More information about the Zope mailing list