lotus.notes.crypto.txt

`Date: Fri, 26 Mar 1999 21:25:10 GMT  
From: Kevin_Lynch/CAM/[email protected]  
To: [email protected]  
Subject: Re: Lotus Notes security advisory  
  
Security Advisory  
  
Application: Lotus Notes Client (R4.5 and Later)  
  
Summary:  
  
As reported March 23, 1999 by Martin Bartosch of Deutsche Bank AG, there is  
a bug in the Lotus Notes Client which causes encrypted email messages to be  
saved in the sender's mailbox in unencrypted form. The bug only occurs when  
the Notes client is misconfigured, but it is not an unlikely  
misconfiguration and it has few if any other symptoms. Until the problem is  
fixed in a future release of the software, users are encouraged to consider  
whether the problem is likely to affect them and if so check for the  
misconfiguration. To ensure that your email is saved in encrypted form,  
Lotus recommends using backslashes (\) as path separator in the Mail File  
field of the user's Location Document (in both Personal and Public Address  
Book) and by selecting "Encrypt Saved Mail" in User Preferences.  
  
Background:  
  
The Lotus Notes Client has a built in capability to digitally sign and  
encrypt mail that is sent to other Notes users. The sender can specify  
whether mail is to be signed and/or encrypted on a per-message basis, and  
can also specify whether mail should be signed and/or encrypted by default.  
In addition, a user can configure whether saved copies of sent messages  
should be stored encrypted in the user's own mail file.  
  
Part of a client configuration is a specification of a Domino mail server  
where a copy of the user's mail file resides and the name of the file on  
that server. The file name on the server may be a simple name or a  
hierarchical name reflecting the file structure on the server. The Domino  
mail server runs on a variety of platforms, and those platforms have  
different naming conventions for files and directories. For maximum  
consistency of user interfaces, Notes and Domino hold all file names (both  
internally and for display) following the Windows convention of using a  
backslash character (\) as a separator. Those names are translated to a  
platform specific separator when making calls to the native OS. In most  
cases, if a user or administrator erroneously enters a filename with  
forward slashes (/), Notes and Domino will do the appropriate translation  
and work correctly.  
  
The Bug:  
  
If in a client configuration, the user specifies the name of a mail file  
correctly except for using a forward slash instead of a backslash, it will  
commonly (but not always) be the case that mail that is sent encrypted will  
nevertheless have the user's own saved copy stored in unencrypted form. An  
important case where the bug does not occur is if the client is configured  
to encrypt all saved mail. The only way a user could notice that this has  
happened is by some statements that are missing from the status bar as the  
message is being sent or when a saved message is read. When the message is  
saved in encrypted form, the status bar will display "Encrypted document  
with your public key", and when it is subsequently opened, it will display  
"Decrypting document...".  
  
The Exposure:  
  
If a mail message is sent encrypted but saved unencrypted, the message is  
still protected in transit to the recipient and in stored form on the  
recipient's system. The sender's saved copy, however, could be obtained  
either by someone who can eavesdrop on the connection between the sender's  
workstation and mail server or by someone who can gain privileged access to  
the sender's mail server. A common reason to encrypt saved mail is to  
protect it from being accessed by the mail server's authorized  
administrators.  
  
Recommendation:  
  
This problem will only affect sites where mail encryption is used  
occasionally but not routinely. If the sender encrypts all saved mail (see  
setting in User Preferences above), the problem does not occur. If the  
sender never encrypts mail, the problem will never come up. At such sites,  
it would be prudent to check the client configurations to make sure the  
mail file name is specified with backslashes. End users do not normally set  
this configuration item; it is inherited during installation from an  
administrator set value stored in the public directory. If the value was  
created programmatically by Notes, it will be correct. Unless some of these  
values were set manually and incorrectly by administrators, it may not be  
worthwhile to alert end users. The problem is more likely to occur at sites  
where the administrators and/or end users frequently use systems where the  
file name convention includes forward slashes.  
  
_________________________  
Kevin Lynch, Product Manager  
Lotus Development Corporation  
email: [email protected]  
  
`