Home page logo
/

bugtraq logo Bugtraq mailing list archives

Lotus Notes R5 clients - no warning for broken signature or encryption
From: Vinci Chou <captainbig () BIGFOOT COM>
Date: Wed, 8 Nov 2000 16:17:16 +0800

7 Nov 2000
Lotus Notes R5 clients - no warning for broken signature or encryption


AFFECTED VERSIONS

All R5 client versions up to the latest R5.0.5

PROBLEM DESCRIPTION

If you receive a clear signed S/MIME e-mail with a broken signature,
e.g. the mail body is modified by a third party during transmission,
Lotus Notes client does not warn you that the signature is broken.  The
mail is displayed just like any unsigned e-mail.  If you receive an
encrypted S/MIME e-mail that is corrupted, Lotus Notes client display a
blank message.  Other Internet mail clients would display warning
messages in both cases.

I am not sure if this should be classified as security vulnerability.
The warning is an indication that someone may be tampering with the
messages.  The lack of warning is also very misleading especially in
places where digital signature is recognised by law.

R5 has been on the market for about two years and I am rather
disappointed that these obvious problems are still there in the latest
R5.0.5.  I have mentioned these problems to local Lotus people five
months ago and formally notified Lotus US one month ago.  I have no
update from Lotus yet.

FIXES

Patch not available.


  By Date           By Thread  

Current thread:
  • Lotus Notes R5 clients - no warning for broken signature or encryption Vinci Chou (Nov 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault