-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-04-17 01:24, Hans Witvliet wrote:
On Fri, 2010-04-16 at 23:02 +0200, Carlos E. R. wrote:
How about spoofing the ntp-source and doing a reboot? Logging in as ca-admin and signing a CSR...
No need for root privilege... afaics, just the knowledge of the ip of the ntp-server and some iron doing an ntp-impersonation!
As I said, no, it would not work, if you do things properly. :-) You do not sync against a single ntp server. You sync against a dozen, simultaneously, so the attacker has to pervert the majority of them, and do so in sync or the perversion is detected immediately. Obviously, as the protocol and applications do support auth, there must be use cases in which it is necesary. The programming effort must have been considerable. Thus, there must be strong reasons to use it. But I don't know them :-) - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkvI9EAACgkQU92UU+smfQW5hACeP9dj8msWzYPGwvgTOcR2adkV S5kAnjvzEX9gRWh8qD8AJKw/log8Lai3 =2C8X -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org