undefined | Better HN

0 pointsergo9815y ago0 comments

That's a nice shtick (the defensive bit was my favourite addition). It's also facile.

They specifically detailed that it's an AES cookie encryption attack, yet you're acting like I'm going on a limb saying that?

0 comments

3 comments · 2 top-level

wglb15y ago· 1 in thread

Where did they specifically detail that it is an AES cookie encryption attack?

tptacek15y ago

They didn't; this commenter has decided that he can easily infer the details of a presentation he hasn't seen from how it's reported in the trade press.

wglb15y ago

So it isn't exactly an AES Cookie Encryption Attack, it is actually worse: http://www.ekoparty.org/juliano-rizzo-2010.php

The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!

j / k navigate · click thread line to collapse