oss-sec mailing list archives
Re: attacking hsts through ntp
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 16 Oct 2014 21:45:34 +0200
Am Thu, 16 Oct 2014 09:56:06 -0600 schrieb Kurt Seifried <kseifried () redhat com>:
The obvious solution being to whitelist your site (in the chrome/firefox source code)if you truly care:
No. While this is neat (and I already did this for my most important domains) this won't help. The reason: HSTS preloaded sites are handled exactly the same way as normal HSTS sites - they can expire. Chrome sets a maximum timeout for HSTS of 1000 days for preloaded sites. That was elaborated in the talk today. He demonstrated the attack on google mail which is in this whitelist. Set clock 3 years into the future and youre done. It could be argued that it is wrong to expire preloaded HSTS sites. But the very same attack applies to HPKP which basically has to expire, because you don't want to use keys forever. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Lukas Reschke (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Michal Zalewski (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 17)