'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Richard Outerbridge
outer at sympatico.ca
Sat Oct 2 21:23:47 EDT 2010
On 2010-10-02 (275), at 19:10, Jerry Leichter wrote:
> On Oct 1, 2010, at 11:34 PM, Richard Outerbridge wrote:
[....]
> By the way, the "don't acknowledge whether it was the login ID or
> the password that was wrong" example is one of those things
> "everyone knows" - along with "change your password frequently" -
> that have long passed their "use by" date. Just what attack on a
> modern system does revealing that a guessed login ID is correct
> actually allow? It can only be used in on-line attacks, and it's
> been years since any decent system didn't protect against high rates
> of failures in on-line authentication. Besides, valid - or highly-
> probably-valid - login ID's are typically cheaply available for most
> systems anyway.
I said it was old :) but it's still as true now as a use-case as it
was way back then, in its time.
Richard
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list