Date: Fri, 17 Oct 2014 11:32:53 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: attacking hsts through ntp On Fri, Oct 17, 2014 at 09:53:29AM +0200, Hanno Böck wrote: > Am Thu, 16 Oct 2014 18:45:18 -0600 > schrieb Kurt Seifried <kseifried@...hat.com>: > > > You can't trust remote servers you're getting the content from... what > > if I send wonky times to try and screw with your browser? Or header > > injection attacks? No thanks. > > It's not entirely a bad idea. You could say "if http header time and > system time differ severely (> 1 week or something) then don't connect > to hsts sites". Sounds a bit like kerberos -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.