Date: Thu, 16 Oct 2014 21:45:34 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: attacking hsts through ntp Am Thu, 16 Oct 2014 09:56:06 -0600 schrieb Kurt Seifried <kseifried@...hat.com>: > The obvious solution being to whitelist your site (in the > chrome/firefox source code)if you truly care: No. While this is neat (and I already did this for my most important domains) this won't help. The reason: HSTS preloaded sites are handled exactly the same way as normal HSTS sites - they can expire. Chrome sets a maximum timeout for HSTS of 1000 days for preloaded sites. That was elaborated in the talk today. He demonstrated the attack on google mail which is in this whitelist. Set clock 3 years into the future and youre done. It could be argued that it is wrong to expire preloaded HSTS sites. But the very same attack applies to HPKP which basically has to expire, because you don't want to use keys forever. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.