On Fri, Sep 17, 2010 at 2:29 PM, silky <[email protected]> wrote:
[...] > > From there it seems that we can conclude what we thought initially: do > > not send back .net exceptions for cryptography errors (always > > something generic like "invalid username/password combination"). > > > > Also, a general throttling/blocking of repeated invalid attemps > > (perhaps somewhat-exponentially slowed as n increases) is appropriate > > (there are other risks associated with doing this; i.e. inconvenience > > for users via a DoS style attack on accounts, but you can at least > > consider it and other similar approaches). > > Sorry to double-post, but I should comment on what I would consider > the "real" solution to be: Don't decrypt data you personally didn't > encrypt. That is, consider using a HMAC: > http://en.wikipedia.org/wiki/HMAC > > That is, you should ensure you are the person who encrypted the given > message. But also, I'm no expert so I hope someone can make a > definitive statement on the matter (i.e: Microsoft). Here is what appears to be their official statement: http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
