Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141016214534.547e3f97@pc.quadriga-www.com>
Date: Thu, 16 Oct 2014 21:45:34 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: attacking hsts through ntp

Am Thu, 16 Oct 2014 09:56:06 -0600
schrieb Kurt Seifried <kseifried@...hat.com>:

> The obvious solution being to whitelist your site (in the
> chrome/firefox source code)if you truly care:

No.

While this is neat (and I already did this for my most important
domains) this won't help.

The reason: HSTS preloaded sites are handled exactly the same way as
normal HSTS sites - they can expire. Chrome sets a maximum timeout for
HSTS of 1000 days for preloaded sites. That was elaborated in the talk
today. He demonstrated the attack on google mail which is in this
whitelist. Set clock 3 years into the future and youre done.

It could be argued that it is wrong to expire preloaded HSTS sites. But
the very same attack applies to HPKP which basically has to expire,
because you don't want to use keys forever.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.