oss-sec mailing list archives

Re: attacking hsts through ntp

From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 17 Oct 2014 11:32:53 +0200

On Fri, Oct 17, 2014 at 09:53:29AM +0200, Hanno Böck wrote:

Am Thu, 16 Oct 2014 18:45:18 -0600
schrieb Kurt Seifried <kseifried () redhat com>:

You can't trust remote servers you're getting the content from... what
if I send wonky times to try and screw with your browser? Or header
injection attacks? No thanks.


It's not entirely a bad idea. You could say "if http header time and
system time differ severely (> 1 week or something) then don't connect
to hsts sites".


Sounds a bit like kerberos
-- 
Yves-Alexis

Attachment: signature.asc
Description: Digital signature

Current thread:

Re: attacking hsts through ntp, (continued)
- - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Michal Zalewski (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Michael Samuel (Oct 16)
  - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 17)
    - Re: attacking hsts through ntp Yves-Alexis Perez (Oct 17)
    - Re: attacking hsts through ntp Stephen Röttger (Oct 17)
    - Re: attacking hsts through ntp Yves-Alexis Perez (Oct 18)
    - Re: attacking hsts through ntp Stephen Röttger (Oct 20)
    - RE: attacking hsts through ntp Bendler, Ehren (Oct 20)
    - Re: attacking hsts through ntp Tim (Oct 17)
    - Re: attacking hsts through ntp Phil Pennock (Oct 17)
    - Re: attacking hsts through ntp Tim (Oct 17)
    - Re: attacking hsts through ntp Hanno Böck (Oct 18)