W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: NTP vs. HSTS

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 16 Oct 2014 17:11:51 +0200
Message-ID: <CADnb78i5DpSMNm+H6w3w7KJkRvUSp_zc6a5ZbKjqwHWGxHQxZw@mail.gmail.com>
To: John Kemp <john@jkemp.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org> 
On Thu, Oct 16, 2014 at 5:01 PM, John Kemp <john@jkemp.net> wrote:
> https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf

So the problem is that time synchronization does not happen over TLS.
That seems like a pretty big flaw in OSs. Hopefully someone audits any
other unauthenticated channels they may have.


-- 
https://annevankesteren.nl/
Received on Thursday, 16 October 2014 15:12:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC