[Zope] Re: Zope/Plone logon security strategy etc
ok, thanks. I didn't notice the documentation on your site. On 2/28/06, Dieter Maurer [EMAIL PROTECTED] wrote: michael nt milne wrote at 2006-2-28 15:51 +: I'm probably missing something really obvious but am wondering how you actually implement your product on a live plone site. I've got it installed. Do you just customise the login form that comes with the product and use that on the site? I fear you do not understand the essence of HTTP authentication: For any kind of HTTP authentication (whether basic or digest), it is the browser which gathers the login information. Therefore, you do not have a login form (you can customize on the server). Instead, the browser uses its login dialog (which you might customize, if you are using e.g. Mozilla or Firefox, but is usually out of the server's reach). As written in the documentation on my website, DigestAuth currently only contains a DigestAuthCrumbler which works similar to the CookieCrumbler. More precisely: It takes digest auth information, verifies it and (if successful) presents it like basic auth information to the remaining parts of Zope. The CookieCrumbler works very similar: it takes the information from a cookie and presents it like basic auth information to the remaining parts of Zope. The DigestAuthCrumbler is a bit less transparent. It *MUST* know the user's password in order to verify the validity of the presented auth information (more precisely, a special hash would be sufficient, but usual user folders do not support such hashes). Therefore, it can only be used together with UserFolders providing access to the clear text password. -- Dieter -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Zope/Plone logon security strategy etc
David wrote: I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x). For SSL and HTTP sanitisation, I wouldn't trust anything that doesn't get the snot pounded out of it my millions of users on a daily basis. For me, that means for anything other than development on a private network, Apache sits in front of Zope. I'm not even sure I trust Squid yet ;-) Pound? ZopeSSL? Don't make me laugh ;-) As for this whole auth discussion, it depends on what your risks are. If you're serious, client certificate auth with Apache for every single request, and plenty of user education to explain exactly what that padlock means and why you need to click on it and read it every single session you start. I suspect in this case, a simple cookie auth scheme that uses _ZopeId as its token will be more than secure enough for your needs... Chris - security is HARD. No really, it's hard. Seriously, stop thinking you understand it, you don't, I don't, and likely no-one else around here does either ;-) -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Zope/Plone logon security strategy etc
Tino Wildenhain wrote: michael nt milne schrieb: Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good. Yes you can do that. There are patches to use SSL directly w/ the ZServer. But usually its by far not worth the trouble. Apache or pound as frontend proxy are easy to setup and ease management and load balancing. _ Tino + 1 And heres a link to info re: ZopeSSL setup: http://www.zope.org/Members/Ioan/ZopeSSL I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x). David ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope/Plone logon security strategy etc
Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc. On 1/25/06, Jens Vagelpohl [EMAIL PROTECTED] wrote: On 25 Jan 2006, at 18:55, michael nt milne wrote: Hi Yeah I know the security aspects are good once you are in, however when you login it's possible for someone to grab your logon name and pass as it goes over the internet, as there's no encryption at all. Then obviously login themselves and compromise your sites. Just slightly concerned about this as I plan to have a few sites set-up on one server, with client logins and have to advise on security. I know that Apache SSL can help but it's a tricky extra step and I only need to secure the login areas at the moment, not encrypt a whole site. You should read up on HTTP authentication and cookie authentication, I sense some severe knowledge gaps there... jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Zope/Plone logon security strategy etc
michael nt milne schrieb: Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc. You want ssl for all. There is no security if you have logon encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login encrypted and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really an extra step because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope. As for the security aspect, a cooky with auth credentials is equally secure as Basic Auth. There is really not much of a difference - just other HTTP header-name. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope/Plone logon security strategy etc
Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good. On 1/25/06, Tino Wildenhain [EMAIL PROTECTED] wrote: michael nt milne schrieb: Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc. You want ssl for all. There is no security if you have logon encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login encrypted and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really an extra step because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope. As for the security aspect, a cooky with auth credentials is equally secure as Basic Auth. There is really not much of a difference - just other HTTP header-name. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope/Plone logon security strategy etc
michael nt milne schrieb: Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good. Yes you can do that. There are patches to use SSL directly w/ the ZServer. But usually its by far not worth the trouble. Apache or pound as frontend proxy are easy to setup and ease management and load balancing. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )