Friday, May 29, 2009

$KeepPrivate is worse in R8.5

It is known that the $keepPrivate is easy to crack. Remember that the $KeepPrivate flag is a field in a document and if this field is set then when a user sees this document, this user should not be allowed to "share" the content of the document. So the user will not be able to forward, print, copy doc/content, or export.

The internal implementation of pretty basic. In fact the Notes client will give an error when the user tries to perform any of the forbidden operations.

Now you can (as you may know) write a simple agent that removes this field and after that any user can do whatever he/she wants.

Also you can make print-screen...

You can also access the content using backend access (Lotus script, Notes API, COM classes, java, ...).

But with R8.5 there is a clear bug and you can do the following to extract information:
* Open the document that is supposed to be protected (e.g. Doc A)
* Select the content of this document
* Create another document (e.g. Doc B)
* Drag the selected information from Doc A to Doc B and the content will be copied!!!
You can drag the content to Winword for example...

So it seems the Notes client team missed this point.

My opinion is that the $KeepPrivate should be reimplemented in a stronger way:
+ Attachments should only be viewed and the content of the viewer should not be copied. It has no sense to only protect the content of the document and leaving users opening or saving attachments
+ This described drag issue should be fixed
+ Print screen should not be allowed. This is not an easy point but it can be implemented with some tricks.
+ The $KeepPrivate internal implementation should be quite similar to the $UpdatedBy... so this field should be mantained in the Notes backend (nnotes.dll). When a document is updated, it should reset $KeepPrivate to 1 if when opening it it already had this value.
+ Does it makes any sense to allow user to select part of the doc content if the user is viewing a document having the $KeepPrivate set to 1?
+ To cover the case where extern process access the content, this content could be encrypted and be decrypted only by the following modules:
* Notes client (since it needs to show the content)
* Updater task (to full text index)
* http task (so DWA can keep showing it)

My 2 cents on improving security in Notes.
Posted by at 8:04 PM

1 comments:

  1. Have you posted this in the IBM Lotus forums ?

    You should

    ReplyDelete

Subscribe to: Post Comments (Atom)