incubator-ooo-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 54274] Security : password of Redlining history can easily be removed
Date Wed, 11 Apr 2012 01:15:42 GMT
https://issues.apache.org/ooo/show_bug.cgi?id=54274

orcmid <orcmid@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CONFIRMED                   |RESOLVED
                 CC|                            |orcmid@apache.org
            Version|OOO 2.0 Beta2               |605
         Resolution|                            |WONTFIX

--- Comment #3 from orcmid <orcmid@apache.org> 2012-04-11 01:15:42 UTC ---
None of the ways of setting protections, including protect against changing the
change-tracking settings and protecting a document as read-only are security
provisions.  

It is easy for the protection settings to be overcome by direct manipulation of
XML elements in the ODF package.  The protection can be removed, forged, and
moved onto other documents without knowing the password that is used.

I agree that users do need to know that these protections are not the same as
the strong, encryption-enforced protection that is achieved solely by the "Save
with Password" option when saving documents.

It would help were the interface arranged in such a way that the setting of
protections is not a document-security measure and the setting of protections
is more for prevention of accidents than any strong preservation of document
integrity.

If there is any way to prevent future vulnerabiities against the passwords
themselves (a genuine security issue) and to provide some security-enforced
protection of certain content and settings, that needs to be dealt with by new
approaches.  Other issues shold be raised for that.

The ODF format and the use of password-digests as protection authenticators in
that format is not now amenable to any other approach.

-- 
Configure bugmail: https://issues.apache.org/ooo/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

Mime
View raw message