- From: Jose Selvi <jselvi@pentester.es>
- Date: Fri, 17 Oct 2014 01:15:54 +0200
- To: public-webappsec@w3.org
Hi, > So I went back into the source code and the author really is mistaken > by the 1000 days bit in net-internals. However, we do have a timeout > for HSTS preloads which git blame says that I added, although I don't > remember it. The timeout is the same as our pinning timeout, which is > 10 weeks from the build timestamp. Yes, what I said in the talk was that I'm not a 100% sure that this was the proper piece of code because I hadn't set a breakpoint there. I just looked for some keywords in the source code and it matches what I have seen in the practice. As far as I remember, HSTS was working jumping into the future 900 days but it was bypassed when jumping 1001 days. I have read my own whitepaper now and... yes, probably the sentence that I used is not as accurate as it should. Sorry for that. Anyway, maybe I'm wrong with the amount of days or the piece of code, but the key point is that you can force HSTS entries, even preloaded ones, to expire using NTP MitM. I don't know if I can share the demo because of my agreement with BlackHat, but I'll be happy to share with you (vendors) as much information as you need. Best regards. -- Jose Selvi. Principal Penetration Tester GIAC Security Expert (GSE) CISA, CISSP, GCFE, GCFA, GCIA, GCIH, GPEN http://www.pentester.es
Received on Friday, 17 October 2014 07:17:02 UTC