W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: NTP vs. HSTS

From: Jose Selvi <jselvi@pentester.es>
Date: Fri, 17 Oct 2014 01:15:54 +0200
Message-ID: <544051AA.6090303@pentester.es>
To: public-webappsec@w3.org
Hi,

> So I went back into the source code and the author really is mistaken
> by the 1000 days bit in net-internals. However, we do have a timeout
> for HSTS preloads which git blame says that I added, although I don't
> remember it. The timeout is the same as our pinning timeout, which is
> 10 weeks from the build timestamp.

Yes, what I said in the talk was that I'm not a 100% sure that this was
the proper piece of code because I hadn't set a breakpoint there. I just
looked for some keywords in the source code and it matches what I have
seen in the practice. As far as I remember, HSTS was working jumping
into the future 900 days but it was bypassed when jumping 1001 days.

I have read my own whitepaper now and... yes, probably the sentence that
I used is not as accurate as it should. Sorry for that.

Anyway, maybe I'm wrong with the amount of days or the piece of code,
but the key point is that you can force HSTS entries, even preloaded
ones, to expire using NTP MitM. I don't know if I can share the demo
because of my agreement with BlackHat, but I'll be happy to share with
you (vendors) as much information as you need.

Best regards.

-- 
Jose Selvi.
Principal Penetration Tester
GIAC Security Expert (GSE)
CISA, CISSP, GCFE, GCFA, GCIA, GCIH, GPEN

http://www.pentester.es
Received on Friday, 17 October 2014 07:17:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC