undefined | Better HN

0 pointsergo9815y ago0 comments

>Exactly how do you know that?

I have never worked on an ASP.NET-based site that relied upon cookies, encrypted or not, for anything. Even where the built-in forms authentication was used the username always had correlating server-side state that was triumphant.

So saying that you can modify cookies == a complete and utter non-issue for any site that followed any reasonable security practices.

0 comments

6 comments · 1 top-level

tptacek15y ago· 5 in thread

The easy answer here is to say, "you mean besides DotNetNuke".

The deeper answer would be to point out that my day job is security evaluation for apps, roughly 50% of which are Fortune-100 web applications, roughly 60% of which are .NET applications, and you're flat-out wrong. There's a reason why cookie/session security is #3 on the OWASP top 10.

You're also presuming that the issue being discussed is, specifically, a cookie.

I understand why you're as defensive as you are; you're a professional .NET developer and Hacker News is hostile to Microsoft and, especially, .NET. Listen to me: I am not hostile to Microsoft or .NET. Microsoft is a client of ours. They do software security better than any company in the industry. Take my word for it: it appears that they screwed this one up just like everyone else that tries to encrypt with AES.

ergo98OP15y ago

>The easy answer here is to say, "you mean besides DotNetNuke".

Yes, I see you've already mentioned DNN. It's good that you have that example. It would be interesting if I somehow claimed that every app is immune to it.

Countless apps have countless vulnerabilities.

>You're also presuming that the issue being discussed is, specifically, a cookie.

I know that the issue being discussed is specifically a cookie. It's specifically an AES-encrypted cookie.

To your edit: Defensive? Hardly. I'm just bitter after an endless stream of B.S. security claims by the security industry. It always follows the same pattern of arm waving and press releases, with a promised demonstration, and then the day of reckoning comes and...quiet. Maybe this will be the exception but, we'll see.

This has nothing to do with any sort of loyalty to .NET, though I hardly find HN to be anti-.NET, or anti-Microsoft for that matter. Whatever, in any case. It isn't my fight to wage.

brl15y ago

"It always follows the same pattern of arm waving and press releases, with a promised demonstration, and then the day of reckoning comes and...quiet."

A few minutes ago, live on stage at a security conference in Buenos Aires (#ekoparty) they popped local SYSTEM privileges remotely on both DotNetNuke and SharePoint installed in a typical production configuration.

In case you think they stacked the deck, those applications were chosen only a couple of days ago after Juliano asked on Twitter for suggestions for the presentation.

ergo98OP15y ago

What do you mean by "local SYSTEM"?

I eagerly look forward to details on it. Where might I find them?

1 more reply

tptacek15y ago

You have their deck or their paper? URL? I'm a casual acquaintance of both Juliano and Thai, and friends with other Netifera people, and so all I have to go on is what they've told me. I'd be interested in reading the actual material.

You have it, right? You sound like you do. Otherwise, how would you know how serious the issue is?

ergo98OP15y ago

That's a nice shtick (the defensive bit was my favourite addition). It's also facile.

They specifically detailed that it's an AES cookie encryption attack, yet you're acting like I'm going on a limb saying that?

2 more replies

j / k navigate · click thread line to collapse

0 comments

6 comments · 1 top-level

tptacek15y ago· 5 in thread

The easy answer here is to say, "you mean besides DotNetNuke".

You're also presuming that the issue being discussed is, specifically, a cookie.

ergo98OP15y ago

>The easy answer here is to say, "you mean besides DotNetNuke".

Yes, I see you've already mentioned DNN. It's good that you have that example. It would be interesting if I somehow claimed that every app is immune to it.

Countless apps have countless vulnerabilities.

>You're also presuming that the issue being discussed is, specifically, a cookie.

I know that the issue being discussed is specifically a cookie. It's specifically an AES-encrypted cookie.

This has nothing to do with any sort of loyalty to .NET, though I hardly find HN to be anti-.NET, or anti-Microsoft for that matter. Whatever, in any case. It isn't my fight to wage.

brl15y ago

"It always follows the same pattern of arm waving and press releases, with a promised demonstration, and then the day of reckoning comes and...quiet."

In case you think they stacked the deck, those applications were chosen only a couple of days ago after Juliano asked on Twitter for suggestions for the presentation.

ergo98OP15y ago

What do you mean by "local SYSTEM"?

I eagerly look forward to details on it. Where might I find them?

1 more reply

tptacek15y ago

You have it, right? You sound like you do. Otherwise, how would you know how serious the issue is?

ergo98OP15y ago

That's a nice shtick (the defensive bit was my favourite addition). It's also facile.

They specifically detailed that it's an AES cookie encryption attack, yet you're acting like I'm going on a limb saying that?

2 more replies

j / k navigate · click thread line to collapse