Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 20 Dec 2014 12:27:36 +0100
From: Hanno Böck <hanno@...eck.de>
To:
  "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: can we talk about secure time?

Hi,

So we know now that the default ntp implementation most people use has
some severe security vulnerabilities. And some people think we should
either rewrite it or use the one from openbsd.

A strange discussion. Because ntp is insecure by design. It is an
unauthenticated, insecure protocol that is suspectible to
man-in-the-middle-attacks. Frankly, I don't care which implementation
of an insecure protocol has less buffer overflows.

This is not a theoretical problem:
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
https://github.com/PentesterES/Delorean


Is there any reason not to tell everyone to use tlsdate?
What's the distro's take on this? afaik many ship ntp-based solutions
by default.

Also see my comment:
https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.