Re: Notes Domino Server Platform for e-commerce?

[BlueBoar () THIEVCO COM (Blue Boar)]

Derek Reynolds wrote:
> Hello Marc,
>
> Notes has been out much longer then Apache.  It's got at least 10
> years on it. There have been 0 password issues to
> date.  I can list at least 20 issues with Apache in the last year but
> can't think of 2 for Domino.
>
> As my statement stands. I would deam Domino/Notes as secure.

To paraphrase Darth Vader:

I find your faith ... disturbing.

To answer a few specifics:  Notes/Domino has had a web component for like
2 or 3 years, not 10.  Don't know exactly how long Apache has been around,
but I believe it's a little longer.  I agree that code review is one of
the bigger factors for how secure something should be considered.  We don't
know how much Notes has had, it's not published.

In any case, i don't think the original poster indicated whether or not
he wanted to use the web publishing piece.

Another indicator for how secure something might be is past bugs:

7735C09B3FF.AAA5E91 () smtp03 wxs 
nl">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-8&msg=7735C09B3FF.AAA5E91 () smtp03 wxs 
nl</A>
Pine.LNX.4.10.9908240957250.8661-100000 () omg clipper 
net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=Pine.LNX.4.10.9908240957250.8661-100000
 () omg clipper net</A>
Pine.SUN.4.01.9808051035120.8118-100000 () dfw nationwide 
net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-1&msg=Pine.SUN.4.01.9808051035120.8118-100000
 () dfw nationwide net</A>
6d49cfc3 () ewareness 
be">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-22&msg=000a01bf4c57$fec98a70$6d49cfc3 () 
ewareness be</A>

Well, you get the idea.. securityfocus.com lists about 500 matches in
Bugtraq for Lotus Notes, though it looks like 3 copies of each message
show up in the search, so divide by 3 I guess.

The vulnerability database there shows 4 items.  I think it only goes back
so far.  Note that they're somewhat serious bugs, and recent.

These things would *seem* to indicate that IBM/Lotus is still stuck in
the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive
auditing.

In addition, Notes (the whole collection of things called Notes) is
pretty large and complex, and includes it's own databases and access-lists.
This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely.
In addition, there's lots of room for misconfiguration.

For example, at a previous employer, they Notes admins had published
the .id files for users.  By their thinking, since no one had the
passwords, they were no good.  I pointed out that they only had
6 character (upper and lower alpha) passwords, or about 35 bits
worth of difficulty.  One you have an .id file that you have the password
for, it can't be revoked.  You have to kill that account entirely.  They
quit publishing the .id files.

Ever wonder how Notes got 64-bit encryption allowed out of the US way
back when?  They took 24 of the bits, and encrypted them with an
NSA public key.  That meant the NSA could recover 24 bits any time
they liked, and would only have to brute 40.  So, the NSA arranged
for Notes export permission.  I have no idea what other kind of caving
in the Notes developers did for the NSA.

In short, I think calling Notes "secure" as a blanket statement is
at best generous.

                                                BB