Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Oct 2014 09:56:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: attacking hsts through ntp

On 16/10/14 06:03 AM, Hanno Böck wrote:
> it's a pretty neat and simple idea:
> Kill HSTS through NTP by sending victims PC into the future.
> https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
> 
> Same should work for HPKP. The idea of setting some security feature
> through a header needs a revisit.
> The solution would be to have a more reliable PC time. How do we do
> that?

The obvious solution being to whitelist your site (in the chrome/firefox
source code)if you truly care:

email agm@...omium.org asking to be added to the whitelist, from the
domain you want white listed (otherwise they tend to ignore it). Usually
within a few business days they'll add it to the source code, and then
in the next browser update they will update the list and you will now be
white listed.

https://chromium.googlesource.com/chromium/chromium/+/trunk/net/http/transport_security_state_static.json

I've done this for my domains, you should too!

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ