'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Sep 15 00:07:24 EDT 2010
Tom Ritter <tom at ritter.vg> writes:
>What's weird is I find confusing literature about what *is* the default for
>protecting the viewstate.
I still haven't seen the paper/slides from the talk so it's a bit hard to
comment on the specifics, but if you're using .NET's FormsAuthenticationTicket
(for cookie-based auth, not viewstate protection) then you get MAC protection
built-in, along with other nice features like sliding cookie expiration (the
cookie expires relative to the last active use of the site rather than an
absolute time after it was set). I've used it in the past as an example of
how to do cookie-based auth right
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list