W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: NTP vs. HSTS

From: Chris Palmer <palmer@google.com>
Date: Thu, 16 Oct 2014 10:33:26 -0700
Message-ID: <CAOuvq23+oCpi8oM=npyzJaLvSPBzHJSrYTsWVB+GFaGMw+7Dww@mail.gmail.com>
To: Adam Langley <agl@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, John Kemp <john@jkemp.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Oct 16, 2014 at 9:01 AM, Adam Langley <agl@google.com> wrote:

> However, in section seven, where the author claims that preloaded
> entries are added for 1000 days, that's only via the net-internals
> debugging interface. (The code screenshot shown is also of code for
> that debugging interface.) I believe that preloaded entries in Chrome
> will always be enforced, no matter what the system time is.

We have also added code to detect with the system clock is obviously
wrong (current time < Chrome's build time, or current time > Chrome's
build time + 1 year), and show a specific SSL warning interstitial
with a UX control for users to activate their system's clock reset
application. In a near-future version of Chrome, that warning
interstitial won't even be an SSL warning, it will be its own kind of
(less frightening) warning. (To the effect of, "You've probably
noticed that a wide variety of things aren't working right... Let's
fix that clock...")
Received on Thursday, 16 October 2014 17:33:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC