No. That was a terrible design. They screwed up the implementation --- developers, no matter how competent, can be relied upon to screw something up in every system --- and as a result Thai Duong and Juliano Rizzo managed to write a CBC padding oracle exploit that worked against huge numbers of real-world ASP.NET systems.
ASP.NET Forms are a pretty good textbook case study of why you should never build unnecessary crypto into your system. Microsoft spends millions every year on external security validation and also keeps a highly regarded team of crypto designers on staff. Still missed the most blatant web crypto flaw of 2010.
ASP.NET Forms are a pretty good textbook case study of why you should never build unnecessary crypto into your system. Microsoft spends millions every year on external security validation and also keeps a highly regarded team of crypto designers on staff. Still missed the most blatant web crypto flaw of 2010.