On Fri, Sep 17, 2010 at 2:29 PM, silky <[email protected]> wrote:

[...]

> > From there it seems that we can conclude what we thought initially: do
> > not send back .net exceptions for cryptography errors (always
> > something generic like "invalid username/password combination").
> >
> > Also, a general throttling/blocking of repeated invalid attemps
> > (perhaps somewhat-exponentially slowed as n increases)  is appropriate
> > (there are other risks associated with doing this; i.e. inconvenience
> > for users via a DoS style attack on accounts, but you can at least
> > consider it and other similar approaches).
>
> Sorry to double-post, but I should comment on what I would consider
> the "real" solution to be: Don't decrypt data you personally didn't
> encrypt. That is, consider using a HMAC:
> http://en.wikipedia.org/wiki/HMAC
>
> That is, you should ensure you are the person who encrypted the given
> message. But also, I'm no expert so I hope someone can make a
> definitive statement on the matter (i.e: Microsoft).

Here is what appears to be their official statement:
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

-- 
silky

http://dnoondt.wordpress.com/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

Reply via email to