[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Sep 6 02:36:22 PDT 2011


Erwann ABALEA <erwann at abalea.com> writes:

>Some people even consider themselves safe because they have an NTP box
>listening to GPS signals, ignoring that they can be spoofed.

I consider myself safe*r* because of this.  Anyone who's going to the trouble
of coming to my location and spoofing GPS is going to get me one way or
another no matter what security measures I use.  OTOH NTP spoofing isn't hard
to do on an industrial scale, not just via the obvious mechanisms but through
less obvious ones like warkitting home routers (demonstrated against pretty
much a who's-who of routers, including OSS replacements for factory firmware).
You don't even need to do that, just modify the config via one of an infinite
number of XSS and similar attacks that router web interfaces are vulnerable
to, to point to $my_NTP instead of $router_vendor_NTP.  

My GPS-based time source is a veritable Fort Knox compared to internet-based 
time sources.

Peter.



More information about the Observatory mailing list