Re: [Zope] Re: Zope/Plone logon security strategy etc
David wrote: I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x). For SSL and HTTP sanitisation, I wouldn't trust anything that doesn't get the snot pounded out of it my millions of users on a daily basis. For me, that means for anything other than development on a private network, Apache sits in front of Zope. I'm not even sure I trust Squid yet ;-) Pound? ZopeSSL? Don't make me laugh ;-) As for this whole auth discussion, it depends on what your risks are. If you're serious, client certificate auth with Apache for every single request, and plenty of user education to explain exactly what that padlock means and why you need to click on it and read it every single session you start. I suspect in this case, a simple cookie auth scheme that uses _ZopeId as its token will be more than secure enough for your needs... Chris - security is HARD. No really, it's hard. Seriously, stop thinking you understand it, you don't, I don't, and likely no-one else around here does either ;-) -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Zope/Plone logon security strategy etc
Tino Wildenhain wrote: michael nt milne schrieb: Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good. Yes you can do that. There are patches to use SSL directly w/ the ZServer. But usually its by far not worth the trouble. Apache or pound as frontend proxy are easy to setup and ease management and load balancing. _ Tino + 1 And heres a link to info re: ZopeSSL setup: http://www.zope.org/Members/Ioan/ZopeSSL I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x). David ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: Zope/Plone logon security strategy etc
michael nt milne schrieb: > Cookie authentication can't be secure. Also I have my doubts about > http authentication. I'll check though. Basicallx you want really good > encryption on any logon and password etc. You want ssl for all. There is no security if you have "logon" encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login "encrypted" and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really "an extra step" because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope. As for the security aspect, a cooky with auth credentials is equally "secure" as Basic Auth. There is really not much of a difference - just other HTTP header-name. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )