Date: Thu, 16 Oct 2014 13:45:16 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: attacking hsts through ntp > The reason: HSTS preloaded sites are handled exactly the same way as > normal HSTS sites - they can expire. I haven't looked at the actual code, but Adam Langley said this on another mailing list: ---------- Forwarded message ---------- From: Adam Langley <agl@...gle.com> Date: Thu, Oct 16, 2014 at 9:01 AM Subject: Re: NTP vs. HSTS To: Anne van Kesteren <annevk@...evk.nl> Cc: John Kemp <john@...mp.net>, "public-webappsec@...org" <public-webappsec@...org> On Thu, Oct 16, 2014 at 8:11 AM, Anne van Kesteren <annevk@...evk.nl> wrote: > On Thu, Oct 16, 2014 at 5:01 PM, John Kemp <john@...mp.net> wrote: >> https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf > > So the problem is that time synchronization does not happen over TLS. > That seems like a pretty big flaw in OSs. Hopefully someone audits any > other unauthenticated channels they may have. This is the motivation for things like tlsdate (https://github.com/ioerror/tlsdate) as used in parts of ChromeOS. However, in section seven, where the author claims that preloaded entries are added for 1000 days, that's only via the net-internals debugging interface. (The code screenshot shown is also of code for that debugging interface.) I believe that preloaded entries in Chrome will always be enforced, no matter what the system time is. Cheers AGL
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.