Yes I agree, having checked on basic http authentication I need SSL.
Basic http and cookie auth is insecure. I just feel that zope should
have this facility even with a self signed certificate, so that you
could do it without Apache and had more options. The option to even
just have it on for site logon would be good.
On 1/25/06, Tino Wildenhain <[EMAIL PROTECTED]> wrote:
> michael nt milne schrieb:
> > Cookie authentication can't be secure. Also I have my doubts about
> > http authentication. I'll check though. Basicallx you want really good
> > encryption on any logon and password etc.
> You want ssl for all. There is no security if you have "logon" encrypted
> in a stateless protocol as HTTP is. Basically with HTTP you identify
> for every single request. So if you login "encrypted" and say, handle
> the session with a one time key (You could write a userfolder or plugin
> for PAS to do that) the one time key is still vulnerable if not sent
> over encrypted channel. So Using apache as ssl proxy is easy and secure
> and does exactly what you want. There is not really "an extra step"
> because you set up apache or the like anyway on a moderate to heavy used
> site as frontent to zope.
> As for the security aspect, a cooky with auth credentials is equally
> "secure" as Basic Auth. There is really not much of a difference -
> just other HTTP header-name.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -