[Zope-dev] How (in)secure is Zope?

[Dave Hall]

On Fri, Mar 14, 2003 at 09:19:55AM +1100, Adrian van den Dries wrote:
> On March 13, Lennart Regebro wrote:
> > 2. Protecting yourself from packet snooping:
> > Zope doesn't have any encryption built-in, SSL needs external software 
> > to implement fro example.
> > 
> > In this sense Zope can be MADE secure with some work, but is not secure 
> > at all out of the box.
> 
> Speaking of which, does anyone have any strategies for doing a
> combination HTTP/HTTP-S setup, ie, where anonymous requests are HTTP,
> and all authenticated requests are encrypted?

If you're front-ending with Apache, you could have a rewrite rule that
would send an HTTP redirect if there are authentication credentials in the
request. It still means one trip across the net with credentials in the
clear.  Not useful if you are using SSL for privacy but useful if you are
using SSL for authenticity.

> Specifically, Zope has no way of knowing beforehand that access to a
> resource will throw an Unauthorized error, and when it does, it just
> sends a WWW-Authenticate header, and the browser retries the request
> with the supplied header.  We want to enforce that passwords are never
> solicited without SSL.
> 
> One way is probably to use CookieCrumbler and hack it to rewrite
> came_from so s/^http/https/.  Is there a way that doesn't require
> hacking?

You could maybe wrap stuff in a method or object that will catch an Unauthorized
error and return a HTTP redirect to a https:// URL.  When the page is hit
using HTTPS, don't bother checking.

This simplest thing to do would be to do everything over SSL (anonymous or
authenticated).  I do this now with an apache non-SSL virtual host sending
a redirect to the SSL virtual host with the same URI.


-- 

Dave

===============================================================
| <- You must be smarter than this stick to ride
     the Internet		-Mike Handler
===============================================================