On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann
wrote:
> Tom Ritter writes:
>
>>What's weird is I find confusing literature about what *is* the default for
>>protecting the viewstate.
>
> I still haven't seen the paper/slides from the talk so it's a bit hard to
> comment on the specifics, but if
On Sat, Sep 18, 2010 at 8:43 PM, Peter Gutmann
wrote:
>>I'm one of the authors of the attack. Actually if you look closer, you'll see
>>that they do it wrong in many ways.
>
> The FormsAuth as well, not just the view state? Interesting, I thought they
> had that one right, at least.
We promised
On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
wrote:
> Ye gods, how can you screw something that simple up that much? They use the
> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards!
I guess they just follow SSL.
BTW, they screw up more badly in other places. Down