Hi there,

I have been telling all my clients about how great Zope is for security: fine-grained permissions, security framework, roles, etc.

Now, one of my clients has a security expert who took a close look at how Zope authenticates users. The results were not good.

The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded).

Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack.

I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice.

So, my question is: is there a way to secure Zope authentication?

I did find Dieter Mauer's DigestAuth product: http://www.dieter.handshake.de/pyprojects/zope/#DigestAuth

It looks good. I have used other produts from Dieter before and was very pleased with the quality of his code.

Now, have other people used it? Does it work with WebDAV? How secure is it (I am no security/encryption expert)?

Also, if it is good, why is not part of default Zope??

Finally, a little side story: you know how in Windows XP, you can connect a drive to a WebDAV server? Well, if you install Service Pack 2, you can't use that feature to connect to Zope anymore. Interestingly enough, it seems that it is precisely because of that authentication vlunerability: Win XP SP2 refuses to connect to a WebDAV that doesn't at least encode the username/password in Digest authentication...

Any comment or pointers are very welcome.


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to