Plone secure login, the insecure part¶

By default, plone has some insecure defaults build-in. It is no real problem, as there are trade-offs for the safer alternatives. But you can make your site more secure with a few measures that are not too hard. In this first installment, I'm just going to worry you with two problems up front, I'll post later about the solution.

Insecure http

In default plone, passwords go over the wire in plain text. When you submit the login form, you send over two parameters: __ac_name=yourname and __ac_password=yoursecretpassword.

When someone is able to sniff the network traffic, this is one potential attack point. This could be remedied by encrypting the form data with https. Plone - or rather, zope - doesn't speak https, but that's not really the problem as you should put apache or squid in front of plone anyway.

Insecure default authentication cookie

After authentication, plone sets a cookie that gets passed on every subsequent request. Using firefox' LiveHttpHeaders extension is very instructive in this case:

    GET /plone/folder_icon.gif HTTP/1.1
    Host: localhost:3030
    Accept: image/png,*/*;q=0.5
    Cookie: __ac="dGVzdHVzZXI6cmV1dGVsCg%3D%3D"

To scare you even more: that cookie value looks pretty safe, but it is a base64 encoded string. %3d is urlencoded for =, so replace that and run the string through a base64 decoder:

    $> echo dGVzdHVzZXI6cmV1dGVsCg== | base64 -d
    testuser:reutel

So that innocent-looking cookie contains our username testuser and password reutel in basically plain text :-)

For potential solutions, see Plone secure login, the secure part