From: <webtier_at_javadesktop.org>
Date: Fri, 10 Sep 2010 12:07:48 PDT

Is the JSF development team aware of the Oracle Padding Attack against its client side encryption? http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf

There are now active exploit tools released to take advantage of this vulnerability. What's the plan for ensuring that encrypted state is also protected with a Hashed Message Authentication Code to ensure integrity?
[Message sent by forum member 'rksethi']

http://forums.java.net/jive/thread.jspa?messageID=482376