On Tue, Sep 14, 2010 at 10:22 AM, mike smith <[email protected]> wrote: > On 14 September 2010 10:01, Damian Maclennan <[email protected]> wrote: > > > ouch. That could get ugly. > > However, there's one fairly eyebrow raising line in there : > > "The attack allows someone to decrypt sniffed cookies, which could > > contain valuable data such as bank balances, Social Security numbers > > or crypto keys" > > If you're putting that sort of info into a cookie, you're probably doing > > it wrong. However if this exploit let you jump in on an authenticated > > session, then it could cause trouble. > > The cookie might have the hashed result of an SSN. Shouldn't, but might.
I don't think it's hashing that is at risk (they mention AES). I think the attack is that you can prepare an invalid encrypted message, and brute-force-ish ask ASP.NET to decrypt it, and based on it's answers you can get closer to getting the key that the other .NET process is using. So, assuming this is so, you should never report a cryptographic failure (though, it's still implied, because you don't get what you want, so ...). But then again, I know nothing of the attack and I'm not an expert, this is just my guess. The moral is probably to not forget that bruteforce-style attacks are still legitimate. > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll > get it, but it's going to be rough" - Adam Hills -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
