Coffeehouse Thread

10 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

ASP.NET forms authentication vulnerability

Back to Forum: Coffeehouse
  • User profile image
    ZippyV

    http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

     

    "The hack exploits a bug in .NET's implementation of AES encryption."

     

    Is Microsoft planning to patch this problem?

  • User profile image
    Maddus Mattus

    Is AES the default setting?

     

    I thought SHA1 was default?

     

    Anyway, a simple configuration change is needed to fix this problem,..

  • User profile image
    ZippyV

    Maddus Mattus said:

    Is AES the default setting?

     

    I thought SHA1 was default?

     

    Anyway, a simple configuration change is needed to fix this problem,..

    AES is the default setting for encrypting the authentication cookies, SHA1 cannot be used for that.

  • User profile image
    TommyCarlier

    Maddus Mattus said:

    Is AES the default setting?

     

    I thought SHA1 was default?

     

    Anyway, a simple configuration change is needed to fix this problem,..

    SHA-1 is not an encryption algorithm, but a cryptographic hash algorithm. You cannot use it to encrypt data, only to create a hash value of data.

  • User profile image
    Maddus Mattus

    TommyCarlier said:
    Maddus Mattus said:
    *snip*

    SHA-1 is not an encryption algorithm, but a cryptographic hash algorithm. You cannot use it to encrypt data, only to create a hash value of data.

    Ah man!

     

    Now the whole internet has picked up on my epic fail as a programmer!

     

    Too late to edit I guess,.. It's allready in google,.. Sad

     

    Anybody got any rope?

  • User profile image
    blowdart

    It's currently under investigation.

     

  • User profile image
    W3bbo

    Maddus Mattus said:
    TommyCarlier said:
    *snip*

    Ah man!

     

    Now the whole internet has picked up on my epic fail as a programmer!

     

    Too late to edit I guess,.. It's allready in google,.. Sad

     

    Anybody got any rope?

    You can edit your posts and make the change, Google will refresh eventually. Better do it now before the forum behaviour changes to copied quotes rather than referenced quotes.

  • User profile image
    Maddus Mattus

    W3bbo said:
    Maddus Mattus said:
    *snip*

    You can edit your posts and make the change, Google will refresh eventually. Better do it now before the forum behaviour changes to copied quotes rather than referenced quotes.

    Good thing that I used my alter ego for a login then Smiley

     

    I'm not going to edit, failure is only human Smiley

  • User profile image
    blowdart
  • User profile image
    blowdart

    And there's also a forum

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.