[145956] in cryptography@c2.net mail archive
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (Richard Outerbridge)
Sun Oct 3 09:11:43 2010
CC: cryptography@metzdowd.com
From: Richard Outerbridge <outer@sympatico.ca>
To: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <1F18EEA8-3E12-4093-9865-2910C0610C72@lrw.com>
Date: Sat, 2 Oct 2010 21:23:47 -0400
On 2010-10-02 (275), at 19:10, Jerry Leichter wrote:
> On Oct 1, 2010, at 11:34 PM, Richard Outerbridge wrote:
[....]
> By the way, the "don't acknowledge whether it was the login ID or
> the password that was wrong" example is one of those things
> "everyone knows" - along with "change your password frequently" -
> that have long passed their "use by" date. Just what attack on a
> modern system does revealing that a guessed login ID is correct
> actually allow? It can only be used in on-line attacks, and it's
> been years since any decent system didn't protect against high rates
> of failures in on-line authentication. Besides, valid - or highly-
> probably-valid - login ID's are typically cheaply available for most
> systems anyway.
I said it was old :) but it's still as true now as a use-case as it
was way back then, in its time.
Richard
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
