oss-sec mailing list archives

attacking hsts through ntp

From: Hanno Böck <hanno () hboeck de>
Date: Thu, 16 Oct 2014 14:03:57 +0200

it's a pretty neat and simple idea:
Kill HSTS through NTP by sending victims PC into the future.
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf

Same should work for HPKP. The idea of setting some security feature
through a header needs a revisit.
The solution would be to have a more reliable PC time. How do we do
that?

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Current thread:

attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
  - Re: attacking hsts through ntp Lukas Reschke (Oct 16)
  - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Michal Zalewski (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Michael Samuel (Oct 16)

(Thread continues...)