Researchers Demo ASP.NET Crypto Attack 98
Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."
Re:Not as serious as it sounds (Score:3, Insightful)
I believe it is a standard security practice to NOT show your error infomation to the user in production environment. If anyone is doing it he should be fired anyway. No need to wait for an exploit to hit.
NOOOO! (Score:5, Insightful)
NO! NO! NO!
This is wrong, and dangerous. There is no such requirement, the HTTP status code is sufficient. Actually, the timing is sufficient, but slightly harder to exploit.
This is correct, and, unfortunately, why the 1st statement is so dangerous.
Assuming that your site is safe just because you've followed best practices is WRONG! You MUST apply the fix in ScottGu's post immediately!
Re:Not as serious as it sounds (Score:3, Insightful)
the real question is why are prices in the west so high?
Re:Not as serious as it sounds (Score:3, Insightful)
Wow, is this a post from 10 years ago? If not, you should really keep up with technology; IIS has matured quite a bit.
Yeah, it's still crap compared to BSD, Linux, or even OS X.
A web server is still crap compared to an operating system?
Re:Impressive video (Score:3, Insightful)
Re:Not just ASP.NET (Score:1, Insightful)
The timing is the key.
If it takes 100ms to return a normal and 110ms to return a padding error.. they have figured it out.
It doesn't matter about status codes, or stack traces.
Re:Not just ASP.NET (Score:3, Insightful)
Newer ASP.NET versions also have a vulnerability where if you can decrypt their "secret" then the untrusted server process will give you anything it has access to on the server filesystem.
Reference?