

New Attack Against ASP.NET - pietrofmaggi
http://www.schneier.com/blog/archives/2010/09/new_attack_agai_1.html

======
mgkimsal
This seems to be indicating that values are encrypted in the cookie, and the
issue is the AES encryption algorithm was implemented poorly.

Why are _any_ values with any degree of sensitivity being stored in a cookie
in the first place?

I'd argued against encrypted values being stored in cookies many years ago
with some colleagues, arguing in favor of randomized values. What I kept
getting back was "random isn't really random - that's insecure". I could never
quite explain my point in a way they understood, which I still count as a
failing on my part (but still a failure on theirs to grasp basic security
stuff in the first place).

So... am I correct in understanding that the ASP.NET system is storing
something of value via encryption in cookies? If so, what?

EDIT - should have read the full thing - this is the padding attack from last
week. :/

