Why does the recent ASP.NET security vurnerability specify an html error page to redirect to pre ASP.NET 3.5 SP1 but an aspx page for later versions?
views:
64answers:
1
Q:
ASP.NET - Security Vulnerability (Cryptographic Oracles) - why html redirect for pre .NET 3.5 SP1
+1
A:
AFAIK, it does not really matters what you redirect to (html or aspx). The main point is to redirect to a page that display the same HTML regardless of the error were a 404 or 500.
Andreas Paulsson
2010-09-21 09:57:01
I think its because the further protection is only available in .NET 3.5 SP1 so there is no need to for an aspx page.
AJM
2010-09-21 10:14:32
e.g. "If you are using .NET Framework version 3.5 SP1 or 4.0, the workaround provides further protection by also helping to mitigate against potential timing analysis attacks. The workaround uses the redirectMode="ResponseRewrite" option in the customErrors feature, and introduces a random delay in the error page. These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error."
AJM
2010-09-21 10:14:52