undefined | Better HN

0 pointsthinkzig15y ago0 comments

What led you to say that it was?

Section 5.1 of this whitepaper[1] by Rizzo and Duong, that lists Ruby on Rails as one of the web frameworks vulnerable to this attack.

Granted, this paper was published in May, and I'm not a Rails guy, so it's quite possible this has been patched as well.

[1]http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf

0 comments

1 comments · 1 top-level

tptacek15y ago

Their comment about MessageEncryptor is accurate, but I don't believe the bare #encrypt (which could create a vulnerability if exceptions weren't laundered) is used anywhere. Rails sessions are encrypted and then HMAC'd. This pattern isn't susceptable to padding side channels.

j / k navigate · click thread line to collapse