[Zope] Zope security management

Phil Harris phil.harris@zope.co.uk
Tue, 20 Mar 2001 22:51:40 -0000 

Karl,

At no point in this discussion did I assert that it was Zopes job to supply
a SSL implementation or become a CA.  I totally agree that this is better
handled by a layer in front of Zope.

Yeah, I know you can sign your own certificates, but for some environments
(e.g. eCommerce) surely you can agree that having VeriSign or Thawte vouch
for your certificate would inspire more confidence than one signed by Phil
Harris, web-odd-job-man.

I myself also use self-signed certificates but only for testing sites.  My
employers take offence (in aesthetic terms) to the silly messages that
Netscape/Mozilla/IE (moz in particular) show users when the certificate is
self-signed.  We have a captive audience (academic) to a certain degree, so
can get away with it, others are not so fortunate.

Now onto something related but not strictly on topic.

There are also other ways to put a SSL frontend to Zope than to use Apache,
take a look at http://www.stunnel.org or http://www.delegate.org for
instance.

I use them with some success to put SSL fronts to all sorts of things
including HTTP, LDAP, POP3,NNTP etc. and also use them in client mode to
connect non-SSL clients to SSL-enabled servers.

Anyway enough rambling.

See ya

Phil



----- Original Message -----
From: "Karl Anderson" <karl@digicool.com>
To: "Phil Harris" <phil.harris@zope.co.uk>
Cc: "The Famous Brett Watson" <famous@nutters.org>; <zope@zope.org>
Sent: Tuesday, March 20, 2001 10:19 PM
Subject: Re: [Zope] Zope security management


> "Phil Harris" <phil.harris@zope.co.uk> writes:
>
> > I agree with the fact that why bother with MD5 when SSL is available,
> > however not everyone using Zope has that capability available to them.
>
> Everybody who uses one of the free secure Apache servers has SSL
> available to them; is this not the case for other servers that Zope
> can run behind?
>
> > For instance, I've recently seen a posting on slashdot.org where some
people
> > are questioning the pricing of SSL certificates, these people are living
in
> > Asia where the price of certificates equates to a few months salary.
>
> That Slashdot discussion unsurprisingly only said half of the story.
> SSL certs are free; becoming your own certificate authority and
> signing your own certificates is free, and even documented by
> mod_ssl.  I have a personal zope site that protects BasicAuth with
> SSL, and I didn't pay for any bits.
>
> The only reason to pay for a CA to sign your cert is to have that CA
> vouch that the cert is yours; Netscape accepts those certs without a
> dialog box.  There's probably other advangates, like insurance, as
> well, I dunno.  But thats what the official CAs provide; it's not
> Zope's job.
>
> This doesn't address the original problem - if you allow nonsecure
> authorization to a page, eventually someone will forget to access it
> via SSL and will send the password across in the clear.  That's a
> valid point.  Personally, I'm paranoid that my browser or proxy will
> send my credentials without being asked for, which IIRC they are
> allowed to do; so once I send credentials to my site, I always use SSL
> for other URLs.  This is annoying, but wouldn't client certificates
> solve this problem?
>
> --
> Karl Anderson                          karl@digicool.com