oss-sec mailing list archives
Re: attacking hsts through ntp
From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 17 Oct 2014 11:32:53 +0200
On Fri, Oct 17, 2014 at 09:53:29AM +0200, Hanno Böck wrote:
Am Thu, 16 Oct 2014 18:45:18 -0600 schrieb Kurt Seifried <kseifried () redhat com>:You can't trust remote servers you're getting the content from... what if I send wonky times to try and screw with your browser? Or header injection attacks? No thanks.It's not entirely a bad idea. You could say "if http header time and system time differ severely (> 1 week or something) then don't connect to hsts sites".
Sounds a bit like kerberos -- Yves-Alexis
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: attacking hsts through ntp, (continued)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Michal Zalewski (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 16)
- Re: attacking hsts through ntp Adam Langley (Oct 16)
- Re: attacking hsts through ntp Kurt Seifried (Oct 16)
- Re: attacking hsts through ntp Hanno Böck (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 17)
- Re: attacking hsts through ntp Stephen Röttger (Oct 17)
- Re: attacking hsts through ntp Yves-Alexis Perez (Oct 18)
- Re: attacking hsts through ntp Stephen Röttger (Oct 20)
- RE: attacking hsts through ntp Bendler, Ehren (Oct 20)