Can anybody direct me to an official response from Microsoft to the recently identified, and highly exaggerated and sensationalised, Padding Oracle / AES cookie encryption vulnerability which allegecly affects various platforms including Java, Ruby on Rails, and ASP.NET?
As far as I can tell, this issue is not as serious on any of the affected platforms as the regurgitated suggestions in the hyped articles seem to imply. Data is only compromised if developers are careless enough to . And despite all the headlines mentioning banking and singling-out ASP.NET, websites where security is that important should all be using HTTPS.
One highly sensationalised headline and article about this, which only mentioned ASP.NET, has been picked-up and distributed and repeated prolifically. And sensationalist hype is a good way to get people to click on and share a link to your website. However, as fun and trendy as it may be to try and find reasons to criticise Microsoft technology, it is also dangerous and irresponsible when doing so overlooks or neglects to mention other platforms affected by the same type of vulnerability. Nevertheless, it's reassuring to know that potential issues in MS technology are quickly flagged and hard to miss, because they attract so much publicity.
View Complete Post