On March 13, Lennart Regebro wrote: > 2. Protecting yourself from packet snooping: > Zope doesn't have any encryption built-in, SSL needs external software > to implement fro example. > > In this sense Zope can be MADE secure with some work, but is not secure > at all out of the box.
Speaking of which, does anyone have any strategies for doing a combination HTTP/HTTP-S setup, ie, where anonymous requests are HTTP, and all authenticated requests are encrypted? Specifically, Zope has no way of knowing beforehand that access to a resource will throw an Unauthorized error, and when it does, it just sends a WWW-Authenticate header, and the browser retries the request with the supplied header. We want to enforce that passwords are never solicited without SSL. One way is probably to use CookieCrumbler and hack it to rewrite came_from so s/^http/https/. Is there a way that doesn't require hacking? a. -- Adrian van den Dries [EMAIL PROTECTED] Development team www.dev.flow.com.au FLOW Communications Pty. Ltd. www.flow.com.au _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )