Sep 17, 2010 11:29 AM|Tim Acheson|LINK
Can anybody direct me to an official response from Microsoft to the recently identified, and highly exaggerated and sensationalised, Padding Oracle / AES cookie encryption vulnerability which allegecly affects various platforms including Java, Ruby on Rails,
As far as I can tell, this issue is not as serious on any of the affected platforms as the regurgitated suggestions in the hyped articles seem to imply. Data is only compromised if developers are careless enough to . And despite all the headlines mentioning
banking and singling-out ASP.NET, websites where security is that important should all be using HTTPS.
One highly sensationalised headline and article about this, which only mentioned ASP.NET, has been picked-up and distributed and repeated prolifically. And sensationalist hype is a good way to get people to click on and share a link to your website. However,
as fun and trendy as it may be to try and find reasons to criticise Microsoft technology, it is also dangerous and irresponsible when doing so overlooks or neglects to mention other platforms affected by the same type of vulnerability. Nevertheless, it's reassuring
to know that potential issues in MS technology are quickly flagged and hard to miss, because they attract so much publicity. THe original report presented at Woot 2010 doesn't even mention ASP.NET. Of course, various other platforms may be vulnerable, e.g.
Python, which have not yet been tested because they are not very numerous/popular.