Security/Encryption

From Apache OpenOffice Wiki
< Security
Revision as of 14:17, 1 July 2009 by Mt (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Encrypted documents shouldn't have any non encrypted content

Currently it is possible to add any non encrypted content into encrypted documents, simply by putting new streams into the zip archive. This way, someone could for example add macro code into documents without the need to know the password. The possibility to add content to an encrypted document is quite bad, and it becomes worse with macros, because passwords increase the level of trust the user has to a document, when it was encrypted by a person he knows. OOo will detect the macros, and ask the user whether or not to execute them. The user might trust the author of the document, and because of the encryption normally nobody should have been able to manipulate it, so he will probably allow OOo to execute the macros. At least, it's not possible to bind the macros to some event, so it would get executed automatically.

In general, an encrypted document shouldn't have any non encrypted content. Exceptions are some files in the META-INF folder: manifest.xml, which is needed to get the encryption information, and the digital signature files also might not be encrypted, depending on the signature implementation.

Retrieved from "https://wiki.openoffice.org/w/index.php?title=Security/Encryption&oldid=133703"
Personal tools