[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Lotus Notes R5 clients - no warning for broken signature or encryption

Title: Lotus Notes R5 clients - no warning for broken signature or encryption
Released by: Vinci Chou
Date: 7th November 2000
Printable version: Click here
7 Nov 2000

Lotus Notes R5 clients - no warning for broken signature or encryption





AFFECTED VERSIONS



All R5 client versions up to the latest R5.0.5



PROBLEM DESCRIPTION



If you receive a clear signed S/MIME e-mail with a broken signature,

e.g. the mail body is modified by a third party during transmission,

Lotus Notes client does not warn you that the signature is broken.  The

mail is displayed just like any unsigned e-mail.  If you receive an

encrypted S/MIME e-mail that is corrupted, Lotus Notes client display a

blank message.  Other Internet mail clients would display warning

messages in both cases.



I am not sure if this should be classified as security vulnerability.

The warning is an indication that someone may be tampering with the

messages.  The lack of warning is also very misleading especially in

places where digital signature is recognised by law.



R5 has been on the market for about two years and I am rather

disappointed that these obvious problems are still there in the latest

R5.0.5.  I have mentioned these problems to local Lotus people five

months ago and formally notified Lotus US one month ago.  I have no

update from Lotus yet.



FIXES



Patch not available.








(C) 1999-2000 All rights reserved.