193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Driving around Baton Rouge yesterday, I finally understood the scale and scope that Ms. Rometty is shooting for in IBM.
Mon, Apr 25th 2016 9
Looks notable: Google, Microsoft, Yahoo, and others propose new IETF SMTP Strict Transport Security (STS) standard to ensure secure email transfer
Tue, Mar 22nd 2016 9
Perspective - Welcome to the top 1%
Fri, Jan 30th 2015 9
and the spinning is on... IBM denies "layoffs", Cringley admits to being a gadfly
Tue, Jan 27th 2015 10
Trying to work out what was missing from the ConnectED 2015 OGS
Tue, Jan 27th 2015 7
Three points that Lotusphere, er, Connect, er, ConnectED 2015 should refute
Sun, Jan 25th 2015 9
I, Cringley: IBM’s reorg-from-Hell launches next week
Fri, Jan 23rd 2015 7
Top 10
Google accelerates end of SHA-1 support - IBM’s letting its customers down
Thu, Sep 11th 2014 10
and the spinning is on... IBM denies "layoffs", Cringley admits to being a gadfly
Tue, Jan 27th 2015 10
Perspective - Welcome to the top 1%
Fri, Jan 30th 2015 9
Three points that Lotusphere, er, Connect, er, ConnectED 2015 should refute
Sun, Jan 25th 2015 9
Looks notable: Google, Microsoft, Yahoo, and others propose new IETF SMTP Strict Transport Security (STS) standard to ensure secure email transfer
Tue, Mar 22nd 2016 9
Driving around Baton Rouge yesterday, I finally understood the scale and scope that Ms. Rometty is shooting for in IBM.
Mon, Apr 25th 2016 9
Something was added in the latest Java update from Oracle: Suppress sponsor offers when installing or updating Java
Thu, Aug 21st 2014 7
(Repost): IBM... PLEASE update Domino’s SSL/TLS. It’s stuck in ancient times and vulnerable.
Mon, Aug 25th 2014 7
Hey, IBM! While you’re adding SHA-2 support across all Domino services, we expect to see HTTP/2 on the road map (soon)
Mon, Oct 6th 2014 7
I, Cringley: IBM’s reorg-from-Hell launches next week
Fri, Jan 23rd 2015 7


Google accelerates end of SHA-1 support - IBM’s letting its customers down
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Craig Wiseman    

There's been a justifiable bit of a hullabaloo about security and IBM Domino (nee Lotus Domino).

The biggest point lately concerning Domino's shameful lack of general support for modern Web security has hinged around Domino's support for only the
SHA1 hash. What's sad about this is that "The first signs of weaknesses in SHA1 appeared (almost) ten years ago. - Qualys Blog". Ten years ago... back when IBM gave the appearance of caring about Domino's future.

Now Google has announced (bolding is mine):
The use of SHA-1 within TLS certificates is no longer sufficiently secure. This is an intent to phase them out (in 2-3 years). In order to make such a phase-out execute smoothly, rather than be an Internet flag day, we will be degrading the experience when these certificates are used in the wild.

Google's full proposal, "Intent to Deprecate: SHA-1 certificates"

ZDnet discussion, "Google accelerates end of SHA-1 support; certificate authorities nervous"

This apparently means that in Google Chrome, your "secure" Domino websites will get a user interface indicator that there's something wrong, or not up to snuff with your site.


Just to remind you, as of 09/11/2014, here's IBM's official stance on SHA2 support:
click to see on IBM's site
Problem

When trying to import the root CA, with a key length of 4096 and SHA-256, the following error appears:

"Certificate signature does not match contents."

Is it possible to use a CA with a key length of 4096 and SHA-256 with Domino 8.x or 9.0.x?

Resolving the problem

No, Domino does not support SHA-2; only MD5, SHA-1, and DSA are currently supported. SPR # ABAI7SASE6 (APAR LO48388) has been submitted to Quality Engineering to request support for SHA-2 in future releases.


IMPORTANT: This SHA1 discussion is only a small piece of this issue.
Traditionally, Lotus, then IBM has been a good steward and added new features and security to Domino as things evolved. Before v4.6, Domino didn't even have a web server (actually, it was called the Notes server before v4.6), and SMTP was originally a separate piece that hooked into the Notes server. LDAP, POP3, XML, RSS, etc... all were added and melded into the product over time. We need TLS 1.2+, DKIM, DMARC, etc.

Very simply and clearly, it's time for IBM to continue this process and add full TLS 1.3 support for all Domino services (HTTPS, SMTP, POP3, LDAP, IMAP, etc) on all platforms.

Otherwise, better hope Rose has some room on the plank for you.


.
Titantic hitting the iceberg





---------------------
http://www.wiseman.la/web/cpwblog.nsf/dx/google-accelerates-end-of-sha-1-support-ibms-letting-its-customers-down.htm
Sep 11, 2014
11 hits



Recent Blog Posts
9
Driving around Baton Rouge yesterday, I finally understood the scale and scope that Ms. Rometty is shooting for in IBM.
Mon, Apr 25th 2016 10:03a   Craig Wiseman




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition