=JeffH <jeff.hod...@kingsmountain.com> quotes: >"We knew ASP.NET was vulnerable to our attack several months ago, but we >didn't know how serious it is until a couple of weeks ago. It turns out that >the vulnerability in ASP.NET is the most critical amongst other frameworks. >In short, it totally destroys ASP.NET security," said Thai Duong, who along >with Juliano Rizzo, developed the attack against ASP.NET.
The earlier work is also pretty devastating against CAPTCHAs (as well as being a damn good read, "Sudo make me a CAPTCHA" :-). A great many CAPTCHAs work by using a hidden form field containing the encrypted solution to the CAPTCHA, which is then POSTed back to the server along with the client's solution (this is needed to make the operation stateless). If the decrypted version matches what the client provides, they've solved the CAPTCHA. So all an attacker has to do is solve one CAPTCHA manually and then replay the encrypted version back along with the solution as often as they like, you don't need to hire a Pakistani Internet cafe any more for your CAPTCHA-breaking. This destroys an awful lot of CAPTCHAs, and isn't at all easy to fix because of the requirement to keep it stateless. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com