Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: BlueBoar () THIEVCO COM (Blue Boar)
Date: Wed, 9 Feb 2000 19:34:35 -0800
Derek Reynolds wrote:
Hello Marc, Notes has been out much longer then Apache. It's got at least 10 years on it. There have been 0 password issues to date. I can list at least 20 issues with Apache in the last year but can't think of 2 for Domino. As my statement stands. I would deam Domino/Notes as secure.
To paraphrase Darth Vader: I find your faith ... disturbing. To answer a few specifics: Notes/Domino has had a web component for like 2 or 3 years, not 10. Don't know exactly how long Apache has been around, but I believe it's a little longer. I agree that code review is one of the bigger factors for how secure something should be considered. We don't know how much Notes has had, it's not published. In any case, i don't think the original poster indicated whether or not he wanted to use the web publishing piece. Another indicator for how secure something might be is past bugs: 7735C09B3FF.AAA5E91 () smtp03 wxs nl">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-8&msg=7735C09B3FF.AAA5E91 () smtp03 wxs nl</A> Pine.LNX.4.10.9908240957250.8661-100000 () omg clipper net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=Pine.LNX.4.10.9908240957250.8661-100000 () omg clipper net</A> Pine.SUN.4.01.9808051035120.8118-100000 () dfw nationwide net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-1&msg=Pine.SUN.4.01.9808051035120.8118-100000 () dfw nationwide net</A> 6d49cfc3 () ewareness be">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-22&msg=000a01bf4c57$fec98a70$6d49cfc3 () ewareness be</A> Well, you get the idea.. securityfocus.com lists about 500 matches in Bugtraq for Lotus Notes, though it looks like 3 copies of each message show up in the search, so divide by 3 I guess. The vulnerability database there shows 4 items. I think it only goes back so far. Note that they're somewhat serious bugs, and recent. These things would *seem* to indicate that IBM/Lotus is still stuck in the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive auditing. In addition, Notes (the whole collection of things called Notes) is pretty large and complex, and includes it's own databases and access-lists. This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely. In addition, there's lots of room for misconfiguration. For example, at a previous employer, they Notes admins had published the .id files for users. By their thinking, since no one had the passwords, they were no good. I pointed out that they only had 6 character (upper and lower alpha) passwords, or about 35 bits worth of difficulty. One you have an .id file that you have the password for, it can't be revoked. You have to kill that account entirely. They quit publishing the .id files. Ever wonder how Notes got 64-bit encryption allowed out of the US way back when? They took 24 of the bits, and encrypted them with an NSA public key. That meant the NSA could recover 24 bits any time they liked, and would only have to brute 40. So, the NSA arranged for Notes export permission. I have no idea what other kind of caving in the Notes developers did for the NSA. In short, I think calling Notes "secure" as a blanket statement is at best generous. BB
Current thread:
- Re: fooling hubs [ARP Spoofing], (continued)
- Re: fooling hubs [ARP Spoofing] Robert van der Meulen (Feb 04)
- Re: fooling hubs [ARP Spoofing] Trevor Schroeder (Feb 04)
- Re: fooling hubs [ARP Spoofing] Jeff Bachtel (Feb 05)
- Re: fooling hubs [ARP Spoofing] H D Moore (Feb 07)
- Notes Domino Server Platform for e-commerce? Baasner, Frank (Feb 07)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Mark L. Jackson (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Allan Jacobsen (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Wozz (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan R Permeh (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Crispin Cowan (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan PErmeh (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 10)
- Re: fooling hubs [ARP Spoofing] Robert van der Meulen (Feb 04)
- its: recursion Pauli Ojanpera (Feb 09)
- Re: its: recursion Sean Burford (Feb 09)