Mailinglist Archive: opensuse (807 mails)
| < Previous | Next > |
Re: [opensuse] secure time
- From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
- Date: Sat, 17 Apr 2010 01:35:28 +0200
- Message-id: <4BC8F440.6080407@xxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2010-04-17 01:24, Hans Witvliet wrote:
As I said, no, it would not work, if you do things properly. :-)
You do not sync against a single ntp server. You sync against a dozen,
simultaneously, so the
attacker has to pervert the majority of them, and do so in sync or the
perversion is detected
immediately.
Obviously, as the protocol and applications do support auth, there must be use
cases in which it is
necesary. The programming effort must have been considerable. Thus, there must
be strong reasons to
use it.
But I don't know them :-)
- --
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 "Emerald" GM (Elessar))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkvI9EAACgkQU92UU+smfQW5hACeP9dj8msWzYPGwvgTOcR2adkV
S5kAnjvzEX9gRWh8qD8AJKw/log8Lai3
=2C8X
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Hash: SHA1
On 2010-04-17 01:24, Hans Witvliet wrote:
On Fri, 2010-04-16 at 23:02 +0200, Carlos E. R. wrote:
How about spoofing the ntp-source and doing a reboot?
Logging in as ca-admin and signing a CSR...
No need for root privilege... afaics, just the knowledge of the ip of
the ntp-server and some iron doing an ntp-impersonation!
As I said, no, it would not work, if you do things properly. :-)
You do not sync against a single ntp server. You sync against a dozen,
simultaneously, so the
attacker has to pervert the majority of them, and do so in sync or the
perversion is detected
immediately.
Obviously, as the protocol and applications do support auth, there must be use
cases in which it is
necesary. The programming effort must have been considerable. Thus, there must
be strong reasons to
use it.
But I don't know them :-)
- --
Cheers / Saludos,
Carlos E. R.
(from 11.2 x86_64 "Emerald" GM (Elessar))
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkvI9EAACgkQU92UU+smfQW5hACeP9dj8msWzYPGwvgTOcR2adkV
S5kAnjvzEX9gRWh8qD8AJKw/log8Lai3
=2C8X
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |