I'm not sure what I think about an infinite HSTS timespan. But I am pretty sure that no matter what, the underlying cause needs to be fixed. A reliable time plays a role in a number of cases in TLS. HPKP is basically vulnerable to the same kind of attack. Certificate validity times/expirations are vulnerable.
After I was in the talk at BH I changed my systems to use tlsdated instead of ntpd. That's the thing that should happen: We need to make our time sources more reliable. I was thinking about an idea I had during the talk: Maybe browsers should add some time consistency checks? Basically two things would be needed: 1. check for sane time on startup. Browsers check for updates, CRLsets and other things anyway. They could just use the tls timestamp of these requests and throw a warning if they differ significantly (I don't want to nag users that don't set their time second-precise, but a diff of more a day could give a warning) 2. check for consistency while running. There could be periodical checks and if the time does large jumps also throw a warning. -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
signature.asc
Description: PGP signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
