oss-sec mailing list archives

Re: attacking hsts through ntp

From: Hanno Böck <hanno () hboeck de>
Date: Thu, 16 Oct 2014 21:45:34 +0200

Am Thu, 16 Oct 2014 09:56:06 -0600
schrieb Kurt Seifried <kseifried () redhat com>:

The obvious solution being to whitelist your site (in the
chrome/firefox source code)if you truly care:


No.

While this is neat (and I already did this for my most important
domains) this won't help.

The reason: HSTS preloaded sites are handled exactly the same way as
normal HSTS sites - they can expire. Chrome sets a maximum timeout for
HSTS of 1000 days for preloaded sites. That was elaborated in the talk
today. He demonstrated the attack on google mail which is in this
whitelist. Set clock 3 years into the future and youre done.

It could be argued that it is wrong to expire preloaded HSTS sites. But
the very same attack applies to HPKP which basically has to expire,
because you don't want to use keys forever.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Current thread:

attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
  - Re: attacking hsts through ntp Lukas Reschke (Oct 16)
  - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Michal Zalewski (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 16)
    - Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Michael Samuel (Oct 16)
  - Re: attacking hsts through ntp Kurt Seifried (Oct 16)
    - Re: attacking hsts through ntp Hanno Böck (Oct 17)
    - Re: attacking hsts through ntp Yves-Alexis Perez (Oct 17)

(Thread continues...)