On Mon, Oct 3, 2011 at 10:01 AM, Felipe Almeida Lessa <felipe.le...@gmail.com> wrote: > With a timing attack a malicious user may be able to construct a valid > MAC for his message. However, the attacker is not able to recover the > MAC key or the encryption key. So you don't need to change your keys, > just upgrade ASAP.
If you are really paranoid, you may worry about a malicious user that created a valid cookie for an administrator expiring on 2030 while you still haven't upgraded. If have this level of security paranoia/consciousness, you may want to generate new keys. Just delete client_session_key.aes before restarting your application with the fixed clientsession >= 0.7.3.1 and new, random keys will be generated for you. Cheers, =) -- Felipe. _______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
