Blog

Differences between Standard SSL and EV SSL

We were updating SSL certificates on IBM Domino servers and the question came up about the differences between EV SSL and Standard SSL. Outside of one costing more I was not sure what the added benefits were to using a EV SSL certificate.

The reality is that a Standard SSL Certificate and an EV SSL Certificate offer the same technical level of protection in encryption standards.  The EV (or extended validation) Certificates require a different level of authentication. Not for the user, but for the website itself.
EV SSL Certificate
That lead me to figure out how the end user even knows if the certificate is a Standard SSL or EV SSL Certificate. I had no clue so I cannot imagine how an end user knows.   Continue Reading here" Differences between Standard SSL and EV SSL" »
    for this posting

    On Wednesday, April 25th, 2018   by Chris Miller        

Security Bulletin: Java Applets and JavaScript Inside HTML Emails

IBM has made a security announcement that  the IBM Notes mail client versions 9.0-8.0 are able to receive HTML emails that may include Java applet tags and JavaScript tags that could load scripts from remote locations with no security prompts.
Java Applet user security in IBM Lotus Notes
IBM has released fixes and patches, or remediation steps, to solve the issue.

The fix is included in Interim Fix 1 for Notes 8.5.3 Fix Pack 4* and Interim Fix 1 for Notes 9.0* for Windows with the Mac version coming soon.  For Linux, clients are encouraged to monitor fix availability in 8.5.3 Fix Pack 5 and 9.0.1
You can obtain these fixes from Fix Central 


Read more on SocialBizUG...
    for this posting

    On Thursday, December 12th, 2013   by Chris Miller        

Domino Security Vulnerability pre 8.5.2 FP4



The National Vulnerability Database has issued a release dated Dec 27 2011 for Domino 8 servers prior to applying FP4 for Domino 8.5.2
Overview

Unspecified vulnerability in the authentication functionality in the server in IBM Lotus Domino 8.x before 8.5.2 FP4 allows remote attackers to cause a denial of service (daemon crash) via a crafted Notes RPC packet.

IBM has answered this with technote #1575247 specifying you should upgrade to Domino 8.5.3 or apply FP4 for 8.5.2.  Previous versions are affected.

    for this posting

    On Tuesday, January 3rd, 2012   by Chris Miller        

Postini spam graph from Jan 2006 to Jul 2007

Spam size vs. spam blocked
Weekly data, normalized to January 1, 2006=1.00
Spam Update

In 2006, spam size increased at a dramatic rate caused by an increase in image spam. By February of 2007, spam size peaked at over 400% of what it had been in January of 2006. After the February 2007 peak, a decline in image spam caused a decline in the spam size growth. However, the summer has reversed that trend with an increase of spam with pdf and xls attachments. During the three days between August 6-8, 2007, we experienced another upsurge in total spam size, up 67% (in the peak of the three day period) from August 1. This was primarily due to a massive pump and dump scam that used a pdf file attachment.


Viruses also had an increase with the largest outbreak in over 2 years just happening in August 2007.
    for this posting

    On Monday, September 17th, 2007   by Chris Miller        

Interesting Notes 8 ACL issue we encountered

Sean Burgess and I are working on a top secret project together, ok that is strong but it will be fun, and we created a new Domino blank database.  I created it with a Notes 8 Standard client on a Domino 8 server.  He accessed the server with a Notes 8 Designer client.  Now the weird part.

I couldn't remember, and didn't bother checking, what hierarchical name he used in his id so I simply entered Sean Burgess as unspecified into the ACL.  He could not get in the database.  I changed it to type person and added his O certifier and he got in fine.  Wondering what gives here as this might have other implications for us in multi-tenant cross-certified environments.
    for this posting

    On Friday, September 14th, 2007   by Chris Miller        

A Sametime cross site scripting vulnerability posted

From reading the web advisory and then the IBM technote, it seems to be all versions of Sametime, including 7.5.1 with an availble hotfix for all versions.  Future updates and fixes will contain the fix also.
Problem In very specific scenarios, there is a possibility that a Sametime┬« server could be exploited by a Cross Site Scripting vulnerability.   Solution In a specific instance, it was found that a precisely crafted Sametime meeting could potentially contain text that would expose a Cross Site Script vulnerability.

This can be addressed in Sametime 7.5.1 by applying an available hotfix. All future releases will contain this fix within the shipping version. Additionally, the same issue was not seen using the EMS server.


    for this posting

    On Wednesday, August 1st, 2007   by Chris Miller        

Real-Time Collaboration and Mobility Seminar - Chicago Day 1 final

After presenting the session on the RTC Gateway, the response was stunned looks.  Enterprises represented still have concerns over the business case that would have them opening and connecting to public providers.  Security is always a concern and that issue was raised as there is no known (to me) message handler writers currently for SPIM and anti-viruses that are ready for the gateway.  The ability to have your corporate name shown to other enterprises through the clearinghouse and to the public side opens need for an IM Policy to be written to cover what should be transferred and how you represent yourself. You can restrict who can access which channel (provider) but the actions of that person now directly reflect your organization. No more hiding behind screen names.

I have more to say on this topic but I am thinking of a series or podcast.  Any takers on comments/interview of your thoughts in a podcast?

Dinner the first night was Wildfire, a pretty good local chain.  Apparently they are expanding to other cities like Atlanta shortly.  Besides the snowshowers that hit tonight, dinner was split among people trying to go to different places.  We ended up at Momotaro, a Japanese restaurant for some sushi.
    for this posting

    On Monday, October 23rd, 2006   by Chris Miller        

Messaging News: The Urgent Need to Implement Authenticated Email

This was in the January/February 2006 issue which you can get in PDF here.  I thought this would be a rather large article to read, not the total of one page that it filled around a half page shadow picture and an ad for a conference (wow I just noticed it was the same conference the author is charman of). The following was an excerpt from the article by Craig Spiezle.  Now Craig did nothing but put out the numbers and stats in my reading of it.  I should note that his title is Director, Microsoft Technology Care and Safety and also the Chair of the emailauthentication.org board.
What's New in Email Authentication?
Over the past 18 months, authenticated mail has evolved significantly from concept to implementation, with two complementary approaches: the Sender ID Framework (SIDF) and DomainKeys Identified Mail (DKIM).  SIDF is an Internet Protocol (IP)-based solution that was developed from the merger of the Sender Policy Framework (SPF) and Microsoft Caller ID for Email.  DKIM is the merger of Yahoo! DomainKeys and Cisco's Identified Internet Mail (IIM) specifications.


There is more rant to read on this below ... a search on Google for SIDF turned up some fun.

Continue Reading here" Messaging News: The Urgent Need to Implement Authenticated Email" »
    for this posting

    On Monday, February 27th, 2006   by Chris Miller        

I was following Tom Duff’s post (and comments) on a Ray Ozzie post for other reasons

Instead of linking to Ray I will just link to Tom here.  But I did grab this topic I wanted to cover from the exact posting Tom was talking about.
Notes had just about the simplest possible replication mechanism imaginable.  After all, we built it at Iris in 1985 for use on a 6Mhz 286-based IBM PC/AT with incredibly slow-seeking 20MB drives.  We were struggling with LIM EMS trying to make effective use of more than 1MB of memory.  Everything about the design was about implementation simplicity and efficiency.

Besides understanding what Tom was saying about not being able to actively comment back since he is saying he has discussions (which I personally take to mean with MS people as I grabbed maybe 6 or 7 links and saw no responses from Ray), I did find the idea intriguing.

One trackback posting made a quite simple and decent comparison of the previous Pull technologies of RSS with the proposed Pull Pull of SSE.  But the initial spec has nothing noted about security or master sources yet.  But, my thought here is that it will grow into that with Ray having input and his above statement about Notes.  With the moves into XML throughout Microsoft products, enabling SSE ability is the first move into having replication in their technologies over another standard.  Instead of the proprietary Domino replication abilities.  The security and authorization has a long way to go yet, have no fear.

If we take this like school, Ray is trying to develop a new learning program on new standards and Lotus has had an established college for 20 years that has grown around some very basic roots of security, portability and simplified scalability.

The point of this posting is not how Lotus does the replication, but the far reaching capabilities it has after years of growth and enhancements.  Then Ray floats an idea to base some Microsoft work on emerging specs and the slower flocks will follow far too soon.  Take that last part and let it marinade some.
    for this posting

    On Tuesday, November 29th, 2005   by Chris Miller