The error message provides a small tidbit of information about how ASP.NET decrypts messages. With enough of these error messages it is possible to decrypt the message in its entirety.
What message? The cookie itself?
The HN thread consists basically of knee-jerking about "those waskly sekuwity wesearchers" and blatantly overtly false statements from people who had no business giving guidance about a flaw they knew literally nothing about.
I agree, unless this attack completely crashes the .Net stack to allow privilege escalation or similar, it's complete hyperbole.
Whether you're right or your wrong (and I would tend to agree that storing sensitive information clientside --- or doing anything else that involves encryption --- isn't worth the risk), this isn't a productive point to make. These designs exist, and can be secure, but contain flaws that must be corrected, lest many tens of applications be susceptible to devastating attacks.
There are cases where having sensitive information in a cookie makes sense. In a web farm, for example. A session store that serves a farm of web servers is harder to set up and maintain than having clients send information back in a cookie. If it's properly encrypted, then this shouldn't be a problem. (Signed cookies are also good for this scenario, if it's okay for the data to be seen by others)
Am I wrong?
Here's a good thread on how to ensure data on client cookies hasn't been tampered with: http://news.ycombinator.com/item?id=1687826
Storing, say, a username and a password hash in your encrypted cookie is at least as secure as direct authentication at each page load; even if they break your encryption they still have to know the admin's password.
Start with the assumption that the locks you use for security will fail, and ask "how will this break?" If we take the encryption out of the picture, do we trust the client to log in as root (or similar) with just a username and no password? The lock in question (as I understand it) is failing for an unrelated (information disclosure) reason. The design decision to lean so hard on the lock is what makes this such an issue.
..the core point being,about how little attention genuine, path-breaking work gets, if security researchers DO NOT make an attempt to publicise it,quite radically.
These sure are not some random guys making a bold claim.. that work has been published in Usenix!
This allows the end user to decrypt their own "encrypted" cookie, not an attacker. At best, if the web app writers were stupid and put truly exploitable data in the cookie, they'd be effected.
It is horrible that MS missed this, but calling .NET broken is probably actionable libel.
It's not about figuring out what's in the client cookies - it's about forging cookies that the server completely trusts on account of the (broken) encryption.
The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!
Even in cases where app logic will trip this approach up early (making hard assumptions about session vals having been initialized post-login and consequently failing fast, etc), the secrets are still captured.
JSF was vulnerable to this attack; Thai and Juliano, the researchers that other HN users are trashing on this thread, also found that flaw as well. I have to assume it's been fixed by now.
Section 5.1 of this whitepaper by Rizzo and Duong, that lists Ruby on Rails as one of the web frameworks vulnerable to this attack.
Granted, this paper was published in May, and I'm not a Rails guy, so it's quite possible this has been patched as well.
What makes you make a comment like this? What evidence are you basing it on?
I have never worked on an ASP.NET-based site that relied upon cookies, encrypted or not, for anything. Even where the built-in forms authentication was used the username always had correlating server-side state that was triumphant.
So saying that you can modify cookies == a complete and utter non-issue for any site that followed any reasonable security practices.
The deeper answer would be to point out that my day job is security evaluation for apps, roughly 50% of which are Fortune-100 web applications, roughly 60% of which are .NET applications, and you're flat-out wrong. There's a reason why cookie/session security is #3 on the OWASP top 10.
You're also presuming that the issue being discussed is, specifically, a cookie.
I understand why you're as defensive as you are; you're a professional .NET developer and Hacker News is hostile to Microsoft and, especially, .NET. Listen to me: I am not hostile to Microsoft or .NET. Microsoft is a client of ours. They do software security better than any company in the industry. Take my word for it: it appears that they screwed this one up just like everyone else that tries to encrypt with AES.
Yes, I see you've already mentioned DNN. It's good that you have that example. It would be interesting if I somehow claimed that every app is immune to it.
Countless apps have countless vulnerabilities.
>You're also presuming that the issue being discussed is, specifically, a cookie.
I know that the issue being discussed is specifically a cookie. It's specifically an AES-encrypted cookie.
To your edit: Defensive? Hardly. I'm just bitter after an endless stream of B.S. security claims by the security industry. It always follows the same pattern of arm waving and press releases, with a promised demonstration, and then the day of reckoning comes and...quiet. Maybe this will be the exception but, we'll see.
This has nothing to do with any sort of loyalty to .NET, though I hardly find HN to be anti-.NET, or anti-Microsoft for that matter. Whatever, in any case. It isn't my fight to wage.
A few minutes ago, live on stage at a security conference in Buenos Aires (#ekoparty) they popped local SYSTEM privileges remotely on both DotNetNuke and SharePoint installed in a typical production configuration.
In case you think they stacked the deck, those applications were chosen only a couple of days ago after Juliano asked on Twitter for suggestions for the presentation.
I eagerly look forward to details on it. Where might I find them?
The highest system privilege level on Windows. They were able to interactively run CMD.EXE as the LocalSystem account on the remote web server.
> I eagerly look forward to details on it. Where might I find them?
The details were not disclosed until today when the attack was presented at a security conference. As far as I know there isn't anything available online yet, but that should change very soon.
You have it, right? You sound like you do. Otherwise, how would you know how serious the issue is?
They specifically detailed that it's an AES cookie encryption attack, yet you're acting like I'm going on a limb saying that?
You have it, right? You sound like you do.
I think it's classy to call out two people you don't know as grandstanding opportunists based on zero knowledge of what it was they were doing and then argue with the guy who calls you out on it. I'm weird that way. I'm going to get downmodded for being a snarky asshole here, but they'll be negative karma points well worth it for my sanity.
Visual Studio Magazine .
I've enjoyed reading all your comments on this thread. You clearly know your stuff. Based upon what you've seen so far and what you know about the ASP.NET framework, do you see any way around this short of some patch from Microsoft?
 - http://visualstudiomagazine.com/articles/2010/09/14/aspnet-s...
You gotta love crypto.