Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Oct 2014 13:45:16 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: attacking hsts through ntp

> The reason: HSTS preloaded sites are handled exactly the same way as
> normal HSTS sites - they can expire.

I haven't looked at the actual code, but Adam Langley said this on
another mailing list:

---------- Forwarded message ----------
From: Adam Langley <agl@...gle.com>
Date: Thu, Oct 16, 2014 at 9:01 AM
Subject: Re: NTP vs. HSTS
To: Anne van Kesteren <annevk@...evk.nl>
Cc: John Kemp <john@...mp.net>, "public-webappsec@...org"
<public-webappsec@...org>


On Thu, Oct 16, 2014 at 8:11 AM, Anne van Kesteren <annevk@...evk.nl> wrote:
> On Thu, Oct 16, 2014 at 5:01 PM, John Kemp <john@...mp.net> wrote:
>> https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
>
> So the problem is that time synchronization does not happen over TLS.
> That seems like a pretty big flaw in OSs. Hopefully someone audits any
> other unauthenticated channels they may have.

This is the motivation for things like tlsdate
(https://github.com/ioerror/tlsdate) as used in parts of ChromeOS.

However, in section seven, where the author claims that preloaded
entries are added for 1000 days, that's only via the net-internals
debugging interface. (The code screenshot shown is also of code for
that debugging interface.) I believe that preloaded entries in Chrome
will always be enforced, no matter what the system time is.


Cheers

AGL

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.