On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > Tom Ritter <t...@ritter.vg> writes: > >>What's weird is I find confusing literature about what *is* the default for >>protecting the viewstate. > > I still haven't seen the paper/slides from the talk so it's a bit hard to > comment on the specifics, but if you're using .NET's FormsAuthenticationTicket > (for cookie-based auth, not viewstate protection) then you get MAC protection > built-in, along with other nice features like sliding cookie expiration (the > cookie expires relative to the last active use of the site rather than an > absolute time after it was set). I've used it in the past as an example of > how to do cookie-based auth right > > Peter. >
I'm one of the authors of the attack. Actually if you look closer, you'll see that they do it wrong in many ways. Here is a video that we just release this morning at EKOPARTY: http://www.youtube.com/watch?v=yghiC_U2RaM Slide, paper, and tools will be released on http://www.netifera.com/research. Thai. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com