-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello SMiller,
Wednesday, July 2, 2003, 4:30:01 PM, you wrote: Suc> For my money, it is difficult to separate IE and Windows, at Suc> least for current versions. This is the joy of the way Microsoft designs its software - for the convenience of developers rather than the security of users. However, that's just my personal opinion, and I'll say no more on it as the mailserver would most likely die under the pressure any rant on this topic would place on it! ;-) Suc> Also, if Outlook is near the top of the list, doesn't Exchange Suc> demand to be present? I really shouldn't be saying what I'm about to say. I'm a Principal Lotus Certified Professional for Lotus Domino R4.6 and R5, and I'm recertifying at the moment. I'm contractually obliged to view Exchange Server as Satan's Own Spawn. So, basically, if anyone asks, I never said this - right? Exchange Server is actually quite secure. Go and check the vulnerabilities database at securityfocus if you don't believe me. Across the last four versions, there have been about forty - maybe fifty - vulnerabilities. And few of them are traditional security issues - they're mostly dumb DoS attacks that can be performed (often against SMTP/POP3/IMAP tasks) or fantastic ways to kill an Exchange Server by sending it something it doesn't understand. Whilst that it a security issue, it's not the kind of huge breach or massive exploit that we're familiar with in Outlook. I'll put my little Lotus/IBM beanie back on for a moment, and say that Exchange's achilles heel is probably what Microsoft touts as its advantage - reliance (not even integration, but flat out reliance) on Windows NT/2000 Server's security systems. Such integration can mean that bugs, OS vulnerabilities or plain laxness (as ever, a human factor!) can affect more than one system. Not just Exchange - SQL Server, MS Proxy Server/ISA, and others. It also gives end users the double-edged sword of single-sign-on. An unprotected unlocked workstation can now be used to access multiple systems where only one would be available elsewhere. Exchange also lacks well-integrated public key security, and a decent framework for secure groupware applications. But half of that is to be blamed in its atrocious client - Outlook. On balance, I think that for the "core functions" Exchange cannot be blamed as a product. If you just want to use Exchange as an SMTP/POP3/IMAP4/NNTP server, I believe it will be a secure solution. It is even secure when using its own proprietary RPC protocols to talk to clients - like perhaps the ones that are (I understand) appearing on Linux now. In a nutshell, Exchange is a fairly secure product. And its relationship with Outlook makes it no more or less secure than any other mail server on the market - if you plugged Outlook into other servers via SMTP/POP3, they'd suddenly be just as insecure. I hope I've convinced you. If Lotus/IBM see me saying this, I might be stripped of my qualifications! *grins* Suc> Should a distinction be made between Outlook and Outlook Express? In a previous mail on the subject of Outlook, I made notes about its groupware functionality and how that exposes most holes. The main difference between the two is the lack of groupware functionality in Outlook Express. However, that merely means that Outlook Express is less secure - it still delegates all HTML work to IE components, so would probably be ranked as "insecure" by many on this list. I would say that a distinction should be drawn, as the functionality differs somewhat. Suc> Also, we had looked at Pegasus mail as an Outlook Express Suc> alternative a while back, and IIRC we found that it was Suc> leveraging the same MS components that make Outlook insecure. *coughs* Microsoft designs their systems for the convenience of developers, not for the security of users. That's what's given them so many products on their platforms - a massive amount of ready-to-use components that are rushed out with no regard for security. Trusted computing? Trusted only to meet the shipping deadlines, I reckon... *coughs* Oh dear. Did I say something just then? Nope. I didn't hear anything. Let's all just move along, and co-exist in happiness. ;-) - -- Best regards, Philip mailto:[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQA/AwUBPwS0Tf5iYgfYHvp6EQJIdACeKubHWqOACj4DSlTKAfhPxN8UKN0AoLQI eE3PEW0g11uNrWvQN+pZAwKd =rSoO -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
