
Update on ASP.NET Vulnerability - ronnier
http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
======
tptacek
Backstory: ASP.NET relies, in several places, on AES (or 3DES) blobs that it
bounces off clients in cookies, in the Viewstate, and in URL arguments. The
underlying implementation of block cipher encryption (in general --- not just
AES) is vulnerable to a devastating side channel attack that allows attackers
to "crack" the ciphertext byte-by-byte, instead of in 128-bit blocks.

It's good (and unsurprising) to see Microsoft taking this so seriously. I
recommend that you follow their advice on workarounds. While doing so, keep in
mind that the framework is still bouncing encrypted blobs off clients and
relying _totally_ on the notion that clients can't read them, and that the
underlying problem (the server's behavior changes based on whether padding is
valid) is still there. Keep your eyes open.

------
alecco
Also one of the researchers behind POET recommends this tool:

[http://huagati.blogspot.com/2010/09/testing-aspnet-poet-
snif...](http://huagati.blogspot.com/2010/09/testing-aspnet-poet-sniffer-
service.html)

