Clock skew issues are not an overlooked problem. The Chrome team has published research around this in the past ( https://groups.google.com/a/chromium.org/forum/#!msg/chromium-dev/owc7DJkg098/d8k0LyrgAgAJ) that led to a plan ( https://www.chromium.org/developers/design-documents/sane-time). I believe all of that work has landed in Chrome. I don't have a source for what percentage of TLS errors currently seen are clock skew at this point (although perhaps Mozilla or the Chrome team have published newer numbers), but significant effort has been spent to solve the root issue.
-Paul (reaperhulk) On February 15, 2018 at 10:55:33 PM, Kevin Chadwick via dev-security-policy ([email protected]) wrote: The cookies etc. should be SSL only. Particular pages enforced, sure. Enforcing TLS with HSTS sitewide means that users with failed bios/laptop batteries have to know to reset their clock or get used to bypassing SSL warnings or use out of date browsers to access sites. A fairly common problem, not good. Think real world, please. This hurts the most vulnerable. Another solution may be to remove the cert is not valid YET restriction but that is a can of worms. Thankyou _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
