Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: rrpermeh () RCONNECT COM (Ryan R Permeh)
Date: Wed, 9 Feb 2000 21:25:30 -0600
notes on ibm and notes (ps, i personally don't care for notes, but have had to deal with it periodically) 1. domino go server is horrible(personal opinion based mostly on performance, not security), the notes database product isn't bad, for what it does. 2. if you are wondering about firewalling your notes web server, realize that people will be attempting to attack via the web servrice, which by nature, you want open. Use some type of domino aware IDS, which may or may not work for you (see all the work on avoiding IDS by rfp, a recent note on ntbugtraq by greg hoglund, and the classic work on why NIDS doesn't work that well: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection - http://www.nai.com/media/pdf/nai_labs/ids.pdf) one other note: IBM is investing a lot of time and effort into apache, and i belive that their websphere package runs on top of apache( or a slightly modified version) It seems that their version of apache is apache + ssl. and coincidentally, apache has had it's share of vulnerabilities. another note: IBM does know crypto, they have an AES submission called MARS. this does not imply that this is what lotus is using, but it does show that ibm does use public review in the crypto community. I am not certain what encryption schemes they use to hold their passwords locally, but as far as i know nobody external to lotus has attempted to cryptanalyze their crypto, so as it stands, it is apparently untested(They recently signed a deal with RSA, anounced at the recent lotusphere, rsa uses correct public crypto review,etc) I'd say evidence is pretty strong that the local password system on the domino host is probably at least as vulnerable to attack as the domino password system. Which can also usually be said to be true about apache. As i've said before, i am not a domino/notes/ibm backer, but i don't feel it is wise to place much of anything above notes/domino for what it does. It's a niche market, and as for ecommerce, if you don't mind investing millions in hardware to run it, go at it, it's not much worse than most of the other ecommerce platforms availibe in the security realm(as evidenced by cduniverse, etc). Ryan Permeh At 02:04 PM 02/09/2000 -0200, Marc Esipovich wrote:
To date I have seen 0 issues with password problems and Notes/Domino.Does it mean that there are 0 (zero) issues? I'm not so sure. Was that Domino server ever audited?, are there overflows hidden deep within? I'm sure there are. What you're saying is, you're just running Domino, sitting and waiting for someone to come up with exploits for it, way to go. Can you trust a software which you don't have sources to? absolutely not.The Notes password is stored in an ID file. For Inet use, the password is like I said, stored within a database which is encrypted in a field. (64bit International/128bit North American).What kind of algorithm are we talking about here, size doesn't *awalys* matter ;)If you want a more robust web server, try WebSphere. IBM's HTTPD. A great 'E-Commerce' webserver with tons going for it. Check it out.No, if you want a more robust webserver, try apache, I'm *positive* it was audited far more than any webserver on the planet, WebSphere included. Doesn't apache have *tons* going for it too? think about it. If you absolutely *must* have a commercial webserver (I see no reason), try Stronghold from C2Net. Marc Esipovich. --- root is only a few clicks away...
Current thread:
- Re: Notes Domino Server Platform for e-commerce?, (continued)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Mark L. Jackson (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Allan Jacobsen (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Wozz (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan R Permeh (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Crispin Cowan (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan PErmeh (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 10)
- its: recursion Pauli Ojanpera (Feb 09)
- Re: its: recursion Sean Burford (Feb 09)
- Hellvisory #0001! Lucifer Mirza (Feb 09)
- Re: its: recursion Blue Boar (Feb 09)
- Re: its: recursion Dmitry Alyabyev (Feb 10)
- Re: recursion Blake Frantz (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Gerardo Richarte (Feb 10)