[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
ArkanoiD
ark at eltex.net
Tue Sep 6 02:51:04 PDT 2011
I wonder if it is possible to create a secure setup at all, trusting, say,
ntp.nasa.gov pre-saved keys and nothing else (given it relies on weak crypto anyways)
On Tue, Sep 06, 2011 at 09:36:22PM +1200, Peter Gutmann wrote:
> Erwann ABALEA <erwann at abalea.com> writes:
>
> >Some people even consider themselves safe because they have an NTP box
> >listening to GPS signals, ignoring that they can be spoofed.
>
> I consider myself safe*r* because of this. Anyone who's going to the trouble
> of coming to my location and spoofing GPS is going to get me one way or
> another no matter what security measures I use. OTOH NTP spoofing isn't hard
> to do on an industrial scale, not just via the obvious mechanisms but through
> less obvious ones like warkitting home routers (demonstrated against pretty
> much a who's-who of routers, including OSS replacements for factory firmware).
> You don't even need to do that, just modify the config via one of an infinite
> number of XSS and similar attacks that router web interfaces are vulnerable
> to, to point to $my_NTP instead of $router_vendor_NTP.
>
> My GPS-based time source is a veritable Fort Knox compared to internet-based
> time sources.
>
> Peter.
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
More information about the Observatory
mailing list