Re: Notes Domino Server Platform for e-commerce?

[derek () INFINET COM (Derek Reynolds)]

Hello Blue,

Again, it all comes down to the person securing the Domino server.

--
Best regards,
 Derek                            mailto:derek () infinet com

Wednesday, February 09, 2000, 10:34:35 PM, you wrote:
BB> Derek Reynolds wrote:
> > Hello Marc,
> >
> > Notes has been out much longer then Apache.  It's got at least 10
> > years on it. There have been 0 password issues to
> > date.  I can list at least 20 issues with Apache in the last year but
> > can't think of 2 for Domino.
> >
> > As my statement stands. I would deam Domino/Notes as secure.

BB> To paraphrase Darth Vader:

BB> I find your faith ... disturbing.

BB> To answer a few specifics:  Notes/Domino has had a web component for like
BB> 2 or 3 years, not 10.  Don't know exactly how long Apache has been around,
BB> but I believe it's a little longer.  I agree that code review is one of
BB> the bigger factors for how secure something should be considered.  We don't
BB> know how much Notes has had, it's not published.

BB> In any case, i don't think the original poster indicated whether or not
BB> he wanted to use the web publishing piece.

BB> Another indicator for how secure something might be is past bugs:

BB> 7735C09B3FF.AAA5E91 () smtp03 wxs 
nl">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-8&msg=7735C09B3FF.AAA5E91 () smtp03 wxs 
nl</A>
BB> Pine.LNX.4.10.9908240957250.8661-100000 () omg clipper 
net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=Pine.LNX.4.10.9908240957250.8661-100000
 () omg clipper net</A>
BB> Pine.SUN.4.01.9808051035120.8118-100000 () dfw nationwide 
net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-1&msg=Pine.SUN.4.01.9808051035120.8118-100000
 () dfw nationwide net</A>
BB> 6d49cfc3 () ewareness 
be">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-22&msg=000a01bf4c57$fec98a70$6d49cfc3 () 
ewareness be</A>

BB> Well, you get the idea.. securityfocus.com lists about 500 matches in
BB> Bugtraq for Lotus Notes, though it looks like 3 copies of each message
BB> show up in the search, so divide by 3 I guess.

BB> The vulnerability database there shows 4 items.  I think it only goes back
BB> so far.  Note that they're somewhat serious bugs, and recent.

BB> These things would *seem* to indicate that IBM/Lotus is still stuck in
BB> the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive
BB> auditing.

BB> In addition, Notes (the whole collection of things called Notes) is
BB> pretty large and complex, and includes it's own databases and access-lists.
BB> This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely.
BB> In addition, there's lots of room for misconfiguration.

BB> For example, at a previous employer, they Notes admins had published
BB> the .id files for users.  By their thinking, since no one had the
BB> passwords, they were no good.  I pointed out that they only had
BB> 6 character (upper and lower alpha) passwords, or about 35 bits
BB> worth of difficulty.  One you have an .id file that you have the password
BB> for, it can't be revoked.  You have to kill that account entirely.  They
BB> quit publishing the .id files.

BB> Ever wonder how Notes got 64-bit encryption allowed out of the US way
BB> back when?  They took 24 of the bits, and encrypted them with an
BB> NSA public key.  That meant the NSA could recover 24 bits any time
BB> they liked, and would only have to brute 40.  So, the NSA arranged
BB> for Notes export permission.  I have no idea what other kind of caving
BB> in the Notes developers did for the NSA.

BB> In short, I think calling Notes "secure" as a blanket statement is
BB> at best generous.

BB>                                                 BB