oss-sec mailing list archives
Re: attacking hsts through ntp
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 16 Oct 2014 18:45:18 -0600
On 16/10/14 06:32 PM, Michael Samuel wrote:
On 16 October 2014 23:03, Hanno Böck <hanno () hboeck de> wrote:Same should work for HPKP. The idea of setting some security feature through a header needs a revisit. The solution would be to have a more reliable PC time. How do we do that?A Date: header?
You can't trust remote servers you're getting the content from... what if I send wonky times to try and screw with your browser? Or header injection attacks? No thanks. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: attacking hsts through ntp, (continued)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Lukas Reschke (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Michal Zalewski (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 17)
- Re: attacking hsts through ntp Stephen Röttger (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 18)
- Re: attacking hsts through ntp Stephen Röttger (Oct 20)
- RE: attacking hsts through ntp Bendler, Ehren (Oct 20)