[Zope] Sope security and SSL

srl slandrum@turing.csc.smith.edu
Wed, 19 Apr 2000 10:37:49 -0400 (EDT)


On Wed, 19 Apr 2000, Joachim Werner wrote:

> Having "native" SSL support in Zope surely would be a GOOD THING (tm).
> It just doesn't seem to be a very popular idea. I remember some previous
> threads about it on this list ... 
> 
> But SSL wouldn't help with the password issue! Getting into an
> SSL-secured page by guessing the password isn't any harder than without
> SSL. The only advantage is that the password cannot be "sniffed", only
> guessed. 

IMO that's a significant advantage for the paranoid---- if you're across
the country in a hotel room editing your Zope site, and some script kiddie
is running a sniffer on that hotel's network, well, the kiddie just got
your password. If you were editing your site by using SSH to a
straight-HTML server, the kiddie wouldn't get your password. If you were
editing a Zope page that's running inside SSL, the kiddie wouldn't get
your password. 

With a brute-force attack, your logs would at least show that someone was
trying to crack a privileged account. If some script kiddie attaks your
Zope site with a password gotten through a sniffer, you see one login,
that's it, and your homepage now says, "I 4M 3733T, PH34R M3."
But then again, this is why to back up Data.fs. 

srl