[Zope] www.oswg.org runs Zope?
Joachim Werner
joachim.werner@iuveno.de
Wed, 19 Apr 2000 15:18:11 +0200
> 1. Zope should integrate SSL.
> 2. All protected pages should be delivered only through SSL by default.
> 3. A fallback to use management and protected pages without SSL should
> be there, but it has to be enabled by hand.
>
> That would eliminiate many risks with little effort for non hackers.
Having "native" SSL support in Zope surely would be a GOOD THING (tm). It just
doesn't seem to be a very popular idea. I remember some previous threads about
it on this list ...
But SSL wouldn't help with the password issue! Getting into an SSL-secured page
by guessing the password isn't any harder than without SSL. The only advantage
is that the password cannot be "sniffed", only guessed.
If you want real security for a site that is in the public internet, I don't
think there is an easy solution. The only things that come to my mind are
"one-time" passwords sent to the user via a secure connection or generated by
password generators and smart cards with public/private key technology.
But that's a general issue, not a specific Zope problem.