Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-09-27 Thread Thai Duong
On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Tom Ritter t...@ritter.vg writes: What's weird is I find confusing literature about what *is* the default for protecting the viewstate. I still haven't seen the paper/slides from the talk so it's a bit hard to

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-09-28 Thread Thai Duong
On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Ye gods, how can you screw something that simple up that much?  They use the appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards! I guess they just follow SSL. BTW, they screw up more