IBM Domino, POODLE, SHA-1 and why it’s also sad when IBM decides to update the security stack

Over the last few weeks the news hit about the PODDLE attack and the withdrawal of SHA-1 as an acceptable hash algorithm by Google Chrome. This is turn has prompted IBM to update the security stack in IBM Domino for all web protocols incl HTTP, LDAP and SMTP. While this is VERY good news and it will be very welcomed that we do no longer have to resort to fronting IBM Domino by IBM HTTP Server or Apache to get adequate TLS protocol support I find the whole situation a bit sad. In full disclosure I have to say that I get most of my security updates these days from the Security Now! podcast on the TWIT network and the discussion on both POODLE and the SHA-1 debacle as opened my eyes. The sad part about these updates to IBM Domino is that it has taken a theoretical attack on SSL v. 3 (POODLE) and a premature hash algorithm withdrawal by a single browser vendor (SHA-1 and Google) to have IBM update the stack. To be fair Microsoft is also removing SHA-1 support from their security stack in their OS’es but from 2017 giving customers ample time to fix it.

In other words if these attacks hadn’t come out IBM would have left IBM Domino customers with ancient protocols and keystore formats – remember it takes Windows XP to run an iKeyman old enough to edit the .key files used in Domino.

Besides being good marketing and blowing some life into the dying embers of IBM Domino it’s almost a sad move when it’s done so late. And then IBM doesn’t even take it seriously enough to go all the way. Instead they outlines their “plan to deliver SHA-2 support for Domino 9.x” and promises a fix to bring TLS 1.0 to IBM Domino. Version 1.0 – seriously?! TLS is in version 1.2 at present and the draft for v. 1.3 is out. Now I know that implementing TLS for SMTP is much different from doing so for HTTP but security cannot be done half heartedly so if you want to make it a priority do that. Do not stop short and plug a hole by not going all the way. In all honesty I would rather have IBM discontinue SSL/TLS all together on Domino than doing this. I know it’s sad but it’s how I feel about it right now.

For a very nice discussion of the PODDLE attack, and why it’s a theoretical attack, do listen to Security Now! episode 478 from 33:22 minutes in.

3 thoughts on “IBM Domino, POODLE, SHA-1 and why it’s also sad when IBM decides to update the security stack”

  1.  There is some truth in what you say for sure.  As a customer now, it does give me pause when I see that support for current security protocols is not a top priority.

    I actually don’t think that you should be running an app server of any kind without a security device in front of it but it seems like IBM used to be really out front in supporting up and coming technologies but this situation sends the wrong message.  If you can’t commit to keeping your product secure and current, then what am I to assume about the future viability of that product?


  2. Right. And this is exactly the reason why I’m reacting the way that I am. I would love for Domino to be a viable appdev platform because it IS an excellent platform but if keeping it secure means fronting it with additional servers it may be too difficult for some customers plus it adds to the overall complexity.


  3. I agree with almost anything you state here. IBM should have done this years ago. Also I want to emphasize that IBM really could and should and MUST do better. A lot better, like, way better, like as-good-as-can-be better.

    This is security. You are not supposed to mess with these things. Customers will sharpen their sticks and lighten their torches when you do and fail. And they are right to do so.


Comments are closed.