Can anyone provide any more solid details? This article seems to be a lot of hyperbole ("totally destroys") with little fact.<p><i>The error message provides a small tidbit of information about how ASP.NET decrypts messages. With enough of these error messages it is possible to decrypt the message in its entirety.</i><p>What message? The cookie itself?
Alex Payne (One of Twitter's earlier employees..) had written a nice article on why he does not work in Infomartion Security, quite a while ago.<p><a href="http://al3x.net/2008/12/31/why-not-infosec.html" rel="nofollow">http://al3x.net/2008/12/31/why-not-infosec.html</a><p>..the core point being,about how little attention genuine, path-breaking work gets, if security researchers DO NOT make an attempt to publicise it,quite radically.<p>These sure are not some random guys making a bold claim.. that work has been published in Usenix!
Totally irresponsible journalism. This is not all or .NET or even a tiny fraction. It is one control that will be rapidly patched.<p>This allows the end user to decrypt their own "encrypted" cookie, not an attacker. At best, if the web app writers were stupid and put truly exploitable data in the cookie, they'd be effected.<p>It is horrible that MS missed this, but calling .NET broken is probably actionable libel.
At least now the next time a client wants me to do something in .NET I have a good excuse to gently persuade them to something else (until this gets patched, at least).