Date: Sat, 20 Dec 2014 12:27:36 +0100 From: Hanno Böck <hanno@...eck.de> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: can we talk about secure time? Hi, So we know now that the default ntp implementation most people use has some severe security vulnerabilities. And some people think we should either rewrite it or use the one from openbsd. A strange discussion. Because ntp is insecure by design. It is an unauthenticated, insecure protocol that is suspectible to man-in-the-middle-attacks. Frankly, I don't care which implementation of an insecure protocol has less buffer overflows. This is not a theoretical problem: https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf https://github.com/PentesterES/Delorean Is there any reason not to tell everyone to use tlsdate? What's the distro's take on this? afaik many ship ntp-based solutions by default. Also see my comment: https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-using-it.html cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.