From the article: "The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys."
I'm pretty sure I already know my bank balance, so hiding it from me seems pretty pointless. And like I said, protecting an app from its users by encrypting cookies is a stupid idea from the start.
I thought "the crypto is protecting the app from its users" was pretty clear, but apparently it wasn't. Let me try it again: "the crypto that Juliano and Thai broke is protecting your bank from you". Is that more helpful? The attack doesn't involve sniffing.
Can I ask, what's the psychology of knee-jerk "this vulnerability doesn't matter" comments? You clearly don't know what the flaw is, and that's fine, but I'm really curious: why do you want it to be pointless? Isn't the world a more interesting place when ASP.NET can blow up spectacularly because of a 2-line programming error?
OK, fine, the crypto is protecting the bank from me. It's still stupid. Don't send users secrets with the implicit promise that they won't tamper with it.
It's a lot better for my bank to not send me anything to tamper with. Then it doesn't matter if the crypto works or not, because there's nothing I can tamper with.
Why is it pointless to point out that there's a better way to build apps that avoids the entire flaw?
What's your point? That you don't like the way ASP.NET, J2EE/JSF, Rails, and Django work? You started out saying "just use SSL and you don't have this problem". You were wrong. Then you said "but all I can see is stuff I already know". You were wrong there too. Now you've backpedaled all the way to first principles. Sure, now you're not wrong; indeed, if everyone just redesigns their applications not to use AES at all, they will in fact be safer.
OK, the jab about SSL was misguided. On my first read of the article, I thought it was about protecting cookies from eavesdroppers. I didn't consider people attacking the app because I thought it was kind of silly that you'd leave yourself open to that. Oh well, turns out I'm wrong and the world is crazy.
I'm pretty sure I already know my bank balance, so hiding it from me seems pretty pointless. And like I said, protecting an app from its users by encrypting cookies is a stupid idea from the start.