LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

I won't give up LibreOffice

I won't give up LibreOffice

Posted Mar 15, 2012 10:02 UTC (Thu) by dgm (subscriber, #49227)
Parent article: A look in on Apache OpenOffice

In the year that AOO has been freewheeling, LO has seen many improvements. Specially important for me is better Microsoft XML formats compatibility (like it or not, there are a lot of "legacy" users out there).

http://www.libreoffice.org/download/3-4-new-features-and-...
http://www.libreoffice.org/download/3-5-new-features-and-...

AOO will only add two features, a new color picker and improved SVG import, none of which is important for me. So, for the foreseable future, I will keep using LibreOffice.

But I love to see OpenOffice back on their feet. Specially tacking into account that the new license permits improvements made to AOO to be ported to LO, AFAIK.

(Log in to post comments)

I won't give up LibreOffice

Posted Mar 15, 2012 12:43 UTC (Thu) by eru (subscriber, #2753) [Link]

But there is one 3.5 change I am not terribly happy with: Different Encryption Algorithm. Up to now password-protected documents have been interchangeable between different OOo/LO versions (I use them for master password lists and some personal notes), but now there is a "version trapdoor". This one feels a bit like change for change's sake. Blowfish surely has not been broken in practice?

Changes in Encryption for Password-Protected Documents

Posted Mar 15, 2012 19:44 UTC (Thu) by orcmid (guest, #74478) [Link]

The allowance for other encryption algorithms is a provision of ODF 1.2, now an approved OASIS Standard.

The peculiarity is taht ODF 1.2 recommends a different encryption than Blowfish while at the same time Blowfish (and its particular parameters) are available as defaults when no algorithm is specified. The change in recommendation is basically because algorithms like AES have formal support from NIST and elsewhere, and Blowfish does not. Blowfish is also a bit dated (as AES is becoming).

Unfortunately, users are apparently not given a way to choose the encryption.

Presumably it is possible to use the Save As ODF 1.1 selection in the Tools | Options in order to use the original default encryption methodology. I must try that with the latest LO release candidates.

PS: The flaw, among others, in the current encryptions is in the improper use of PBKDF2 that allows an attack by direct injection of password digests obtained from elsewhere without attacking the password. This sideways vulnerability applies to all of the encryption methods at the present time. And of course password-based schemes are more vulnerable than the encryption and are easier to attack, making it irrelevant how good the encryption algorithm itself is.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds