[9992] in bugtraq
Lotus Notes Encryption Bug
daemon@ATHENA.MIT.EDU (Martin Bartosch)
Fri Mar 26 16:22:20 1999
Date: Fri, 26 Mar 1999 10:24:06 +0100
Reply-To: Martin Bartosch <bartosch@MAIL.DEUBA.COM>
From: Martin Bartosch <bartosch@MAIL.DEUBA.COM>
To: BUGTRAQ@NETSPACE.ORG
IAKOVLEV@FR.IBM.COM wrote:
> Do you want to say that if you use only the backslashes in the path to
> the mailbox (ex. mail\path\to\user.nsf) and DO NOT check the "Encrypt
> saved mail" box, the saved mail will still be encrypted?
Yes - if the product functions correctly AND if you select "encrypt mail"
in the mail options while composing the new mail note. As far as I can
verify this, the saved mail stored in the "Sent mail" folder is encrypted
when these conditions are met - even if "encrypt saved mail" and "encrypt
sent mail" are NOT checked.
> It is reasonable to expect that if you do not check the "Encrypt saved
> mail" box, the respective message is stored in clear in the mail
> database, and as such is recoverable via sniffing the network traffic,
> be it the initial mail copy storing on the remote server, or any
> replication (via the network) of the database, unless you encrypt the
> network traffic, by checking the respective box in the File -> Tools ->
> User Preferences ->Ports menu.
I disagree: when a user composes a mail and specifically requests
encryption for this mail she has good reason to believe that the product
will not pass any clear text of this message over the wire or store plain
text on external systems - regardless of any global settings elsewhere.
In my opinion it is reasonable to expect that if I request encryption by
*any* means within the client, I do not want the clear text to leak out.
And I wish to be told about any problems if my software cannot perform
this action properly for some reason.
In addition I do not think that the "enrypt network traffic" option does
help a lot - the message is still stored on the server in the plain.
Regards,
Martin
--
Martin Bartosch bartosch@mail.deuba.com
This message and any statements expressed therein are those of myself
and not of the Deutsche Bank AG or its subsidiary companies.
