Re: [Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?
sorry Chris but ifI was 'retarded' as you indeed claim I wouldn't have been able to achieve so much with Plone and Zope over the last 6 months. I've gone from zero knowledge of the plaftorms to installing Zope, and Plone on a Unix box from source (not easy and required a alot of perseverance), setting up development, production and staging instances, setting up VirtualHosting and a number of live production sites on the platform. Also I've done all that on a windows box using Apache which is also running IIS (not easy to work with). I've then installed SSL with virtual hosts. I'm still learning obviously, but am happy with progress to date and I've taken lots of advice.I've made mistakes sure but who doesn't. I've also been very vocal in my praise of the platform and how powerful it is to many people in my sphere. If you feel you would be better of without people who fit my profile then you're cutting your own throat. And anyway 'retarded' is not so much 'statement of fact' as use of 'emotive language'. Anyway I thought you weren't replying to any more of my posts? You lie. I'm a troll remember. MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host sectionSo, have you actually followed this advice? What difference has it made?*sigh* No I haven't as yet. Too busy elsewhere.I will try the access rule on Plone first and then go for the IE rules in Apache. I'll get there in the end. As I say there's another guy on the Plone list who can't post images over SSL with IE so I'm speaking to him as well. Michael On 2/15/06, Chris Withers [EMAIL PROTECTED] wrote: michael nt milne wrote: Chris, back to throwing personal insults eh.It's not so much an insult as a statement of fact. Retarded means slower, and given how slow you seem to be to get the stuff we'rediscussing, I think the shoe fits. Not necessarily meant as an insult,but if you want to take it as such, so be it... refrain from 'gratuitous insults'. That's just going to turn people away and harm the cause of Zope.Some people this community could do without. I have no doubt that you'dargue that I am one of those people. I, of course, feel the same about you ;-) I hope you're making sure the secure bit is set on those cookies ;-) I take it this is a joke.Okay, so you don't want to bother reading specs eithers. Great. Go read up on the cookie spec, find out what the secure bit of a cookie does... Plone uses cookie authentication by default.And Plohn is hideously insecure by default, what's your point? You can't log in with out that. Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that'snot anonymously accessible... There are security risks there but good user education with a strong password policy, no use of 'save password' facilities and SSL is a start at least.Good luck, you're gonna need it... Considering you can't even quote a response correctly, I somehow doubt that.. Oh come on. What? You're mail client put in front of your previous post, whichis faulty for the majority of mail clients used by people on this list.Fix it. Fine, don't take our advice, but don't expect help either. What because I don't take all your advice? That's a bit elitist and also not good for growing the user base of Zope.You don't take anyone's advice on this list without bitching and whining about it... And to finish on my problem with IE over SSL, I'll be implementing the help found here. It's recognised that there are problems and bugs in IE over SSL:Your problem will undoubtedly be that access_rule put in by the Plohn installer. Remove it, and I'll bet your problems go away. But hey, whatdo I know? MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host sectionSo, have you actually followed this advice? What difference has it made? *sigh*Chris--Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?
It's been said a million times in a million different ways, so let's tick that counter one more time and make it a million and one: DON'T FEED THE TROLLS. http://img18.photobucket.com/albums/v55/krazykit/2004-03-22_104550_troll.gif -- Floyd May Senior Systems Analyst CTLN - CareerTech Learning Network [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?
yeah, take his advice Chris :-) On 2/16/06, Floyd May [EMAIL PROTECTED] wrote: It's been said a million times in a million different ways, so let'stick that counter one more time and make it a million and one: DON'T FEED THE TROLLS.http://img18.photobucket.com/albums/v55/krazykit/2004-03-22_104550_troll.gif--Floyd May Senior Systems AnalystCTLN - CareerTech Learning Network[EMAIL PROTECTED]___Zope maillist- Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists - http://mail.zope.org/mailman/listinfo/zope-announcehttp://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?
Chris, back to throwing personal insults eh. I'll refrain from going down that line as it's tedious and un-professional. You've obviously not listened to the advice of your fellow peers on that front. Everyone can take on a little advice and I've remarked previously that I was wrong in my initial approach with this post which has now blown out of all proportion and is to be honest a bit of a joke. Security is hard and I'm getting my head round it. I'm also newish to Zope and Plone and feel I've progressed pretty well in about 6 months considering I do a full-time job too. It is a steep learning curve and the more people that persevere with it the better. Whilst I find the Zope and Plone lists generally fantastic. They're the best user based lists I have experienced. However they're not helped by the attitude displayed by you, Chris and your inability to refrain from 'gratuitous insults'. That's just going to turn people away and harm the cause of Zope. To answer some of your points: I hope you're making sure the secure bit is set on those cookies ;-) I take it this is a joke. Plone uses cookie authentication by default. You can't log in with out that. There are security risks there but good user education with a strong password policy, no use of 'save password' facilities and SSL is a start at least. Considering you can't even quote a response correctly, I somehow doubt that.. Oh come on. Fine, don't take our advice, but don't expect help either. What because I don't take all your advice? That's a bit elitist and also not good for growing the user base of Zope. Sheesh, sorry, but I've come to the conclusion you're just trolling and so won't be wasting my time with any more of your posts... Well you're wrong on that one as well. You're probably just not suited to helping out newer users. I wouldn't suggest customer service as a second career..:-) And to finish on my problem with IE over SSL, I'll be implementing the help found here. It's recognised that there are problems and bugs in IE over SSL: http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic in some MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the SSL handshake phase. So a MSIE-specific SetEnvIf won't solve these problems. Instead, you will have to make more drastic adjustments to the global parameters. Before you decide to do this, make sure your clients really have problems. If not, do not make these changes - they will affect all your clients, MSIE or otherwise. On 2/14/06, Chris Withers [EMAIL PROTECTED] wrote: Alexander Limi wrote: On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen [EMAIL PROTECTED] wrote: *HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule. http://plone.org/documentation/faq/multiple-sites-installers What part is not documented at all? :) *sigh* If it uses an Access Rule, it's likely still a dirty trick that will confuse retards like Michael, I'd suggest removing it... Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Chris, back to throwing personal insults eh. It's not so much an insult as a statement of fact. Retarded means slower, and given how slow you seem to be to get the stuff we're discussing, I think the shoe fits. Not necessarily meant as an insult, but if you want to take it as such, so be it... refrain from 'gratuitous insults'. That's just going to turn people away and harm the cause of Zope. Some people this community could do without. I have no doubt that you'd argue that I am one of those people. I, of course, feel the same about you ;-) I hope you're making sure the secure bit is set on those cookies ;-) I take it this is a joke. Okay, so you don't want to bother reading specs eithers. Great. Go read up on the cookie spec, find out what the secure bit of a cookie does... Plone uses cookie authentication by default. And Plohn is hideously insecure by default, what's your point? You can't log in with out that. Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that's not anonymously accessible... There are security risks there but good user education with a strong password policy, no use of 'save password' facilities and SSL is a start at least. Good luck, you're gonna need it... Considering you can't even quote a response correctly, I somehow doubt that.. Oh come on. What? You're mail client put in front of your previous post, which is faulty for the majority of mail clients used by people on this list. Fix it. Fine, don't take our advice, but don't expect help either. What because I don't take all your advice? That's a bit elitist and also not good for growing the user base of Zope. You don't take anyone's advice on this list without bitching and whining about it... And to finish on my problem with IE over SSL, I'll be implementing the help found here. It's recognised that there are problems and bugs in IE over SSL: Your problem will undoubtedly be that access_rule put in by the Plohn installer. Remove it, and I'll bet your problems go away. But hey, what do I know? MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section So, have you actually followed this advice? What difference has it made? *sigh* Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?
Alexander Limi wrote: On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen [EMAIL PROTECTED] wrote: *HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule. http://plone.org/documentation/faq/multiple-sites-installers What part is not documented at all? :) *sigh* If it uses an Access Rule, it's likely still a dirty trick that will confuse retards like Michael, I'd suggest removing it... Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )