[Esapi-user] [Esapi-dev] Why ESAPI crypto uses a custom serialization scheme

Jim Manico jim.manico at owasp.org
Sat May 1 18:34:16 EDT 2010


 >  but in some way you have not potentially
allowing the attacker to access all your encrypted data rather than  
just the decrypted data that was avaialble to the user on that one  
compromised accountant's PC.

But still - I call this game over. You need to  disclose this breach  
if discovered. The attacker has regular access to this account. If  
this user is an admin the attacker can override CSRF protections and  
"administer" other users. Etc...

I still say client compromise is a critical event that will have a  
significant impact underming the security of every user in the victims  
web of trust.

Jim Manico

On May 1, 2010, at 10:22 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
wrote:

> s. I don't care what it is, but in some way you have not potentially
> allowing the attacker to access all your encrypted data rather than
> just the decrypted data that was avaialble to the user on that one
> compromised accountant's PC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100501/a41b2a3f/attachment.html 


More information about the Esapi-user mailing list