Make Plone more secure: Disabling Base64-encrypted cookies with SessionCrumbler
Whenever you log into Plone, it saves a cookie on your machine to recognize you the next time you visit the site. Many sites do this in order to spare the user the process of logging on to the site every single time he wants to view a protected webpage, so this is intended as a usability feature and not a big deal at all. Usually the information stored in this cookie contains a session ID or the password encrypted in a secure manner, like MD5.
CMF however (and by extension, Plone) uses Base64 encryption to encrypt the password on your local machine which is generally considered to be a very unsafe encryption method, because everybody can easily decrypt it.
What is Base64?
Base64 is a binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted into a sequence of printable ASCII characters. The protocols POP3 and SMTP use this scheme to be able to transfer pictures in a readable text format,so you might get the point why this is not suitable to apply when it comes to encrypting data that should not, under any circumstances, be read by other persons who you don't trust.
I've never seen anything like that before, why should I care?
Well, whenever you leave your laptop or PC unattended (which happens more often than you might think), anyone can check your browser's cookie preferences, browse to a host that uses Plone and contains sensitive data and copy the Base64-encrypted data that is shown there. With an base64 decrypter it'd be no problem for him to see your password in clear text and log in to the site on his machine afterwards.
How can I secure my Plone site?
It's easy. Download SessionCrumbler, put it into your Products folder and restart Zope. Then use the ZMI and create a new SessionCrumbler object with the ID "session_authentification" in your Plone portal. Make sure to delete an object called "cookie_authentification" if there is one. Now restart your browser and log in again. Check your cookies. There is no Base64 anymore, because Zope will store your data in REQUEST.SESSION from now on.