oss-sec mailing list archives
can we talk about secure time?
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 20 Dec 2014 12:27:36 +0100
Hi, So we know now that the default ntp implementation most people use has some severe security vulnerabilities. And some people think we should either rewrite it or use the one from openbsd. A strange discussion. Because ntp is insecure by design. It is an unauthenticated, insecure protocol that is suspectible to man-in-the-middle-attacks. Frankly, I don't care which implementation of an insecure protocol has less buffer overflows. This is not a theoretical problem: https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf https://github.com/PentesterES/Delorean Is there any reason not to tell everyone to use tlsdate? What's the distro's take on this? afaik many ship ntp-based solutions by default. Also see my comment: https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- can we talk about secure time? Hanno Böck (Dec 20)
- Re: can we talk about secure time? Stuart Henderson (Dec 20)
- Re: can we talk about secure time? Daniel Kahn Gillmor (Dec 20)
- Re: can we talk about secure time? ncl () cock li (Dec 20)
- Re: can we talk about secure time? Daniel Micay (Dec 20)
- Re: can we talk about secure time? Florian Weimer (Dec 21)
- Re: can we talk about secure time? Daniel Micay (Dec 21)
- Re: can we talk about secure time? Dave Horsfall (Dec 21)
- leap seconds and security [was: Re: can we talk about secure time?] Daniel Kahn Gillmor (Dec 21)
- Re: can we talk about secure time? Florian Weimer (Dec 21)
- Re: can we talk about secure time? Hanno Böck (Dec 21)
(Thread continues...)
- Re: can we talk about secure time? Stuart Henderson (Dec 20)