oss-sec mailing list archives
Re: attacking hsts through ntp
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 16 Oct 2014 09:56:06 -0600
On 16/10/14 06:03 AM, Hanno Böck wrote:
it's a pretty neat and simple idea: Kill HSTS through NTP by sending victims PC into the future. https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf Same should work for HPKP. The idea of setting some security feature through a header needs a revisit. The solution would be to have a more reliable PC time. How do we do that?
The obvious solution being to whitelist your site (in the chrome/firefox source code)if you truly care: email agm () chromium org asking to be added to the whitelist, from the domain you want white listed (otherwise they tend to ignore it). Usually within a few business days they'll add it to the source code, and then in the next browser update they will update the list and you will now be white listed. https://chromium.googlesource.com/chromium/chromium/+/trunk/net/http/transport_security_state_static.json I've done this for my domains, you should too! -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Lukas Reschke (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Michal Zalewski (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)