Sent from my iPhone

On 17/09/2010, at 4:28 PM, mike smith <[email protected]> wrote:

> On 17 September 2010 14:24, silky <[email protected]> wrote:
> On Tue, Sep 14, 2010 at 10:26 AM, silky <[email protected]> wrote:
> 
> [...]
> 
> >> The cookie might have the hashed result of an SSN.  Shouldn't, but might.
> >
> > I don't think it's hashing that is at risk (they mention AES). I think
> > the attack is that you can prepare an invalid encrypted message, and
> > brute-force-ish ask ASP.NET to decrypt it, and based on it's answers
> > you can get closer to getting the key that the other .NET process is
> > using. So, assuming this is so, you should never report a
> > cryptographic failure (though, it's still implied, because you don't
> > get what you want, so ...). But then again, I know nothing of the
> > attack and I'm not an expert, this is just my guess.
> >
> > The moral is probably to not forget that bruteforce-style attacks are
> > still legitimate.
> 
> Details: 
> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
> (different tool but probably similar approach).
> 
> >From there it seems that we can conclude what we thought initially: do
> not send back .net exceptions for cryptography errors (always
> something generic like "invalid username/password combination").
> 
> 
> And if you have a "forgot password" don't say whether the email address you 
> enter succeeds or fails.  So many fail at this step.

That isn't very practical though. How long should the user be expected to wait 
for the password reset email to arrive? I often can't remember if I have 
registered on a website, particularly if it was only to get access to something.

Also, what happens when a user tries to register with an email address that has 
already been used? System error?

Personally, I'll settle for never seeing my current password being sent to me 
in clear text again for whatever reason. Mailman, I'm looking at you, among 
others.

>  
> Also, a general throttling/blocking of repeated invalid attemps
> (perhaps somewhat-exponentially slowed as n increases)  is appropriate
> (there are other risks associated with doing this; i.e. inconvenience
> for users via a DoS style attack on accounts, but you can at least
> consider it and other similar approaches).
> 
> --
> silky
> 
> http://dnoondt.wordpress.com/
> 
> "Every morning when I wake up, I experience an exquisite joy — the joy
> of being this signature."
> 
> 
> 
> -- 
> Meski
> 
> "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll 
> get it, but it's going to be rough" - Adam Hills

Reply via email to