undefined | Better HN

0 pointscreeble1y ago0 comments

You can use plain HTTP for time sync. Almost all HTTP servers respond with a time header.

0 comments

The whole point of the exercise was to make it secure though. If you don't care about MITM attackers then NTP works great.

numpad01y ago

I don't get the supposed security aspect of getting false time. Hacker gives you 1980-01-01 or 4096-13-32 and mess up CRL and ruin your day...how.

Years ago I've tried privilege escalation exploit to play with a phone and it involved rolling back date to unexpire signature, so I know there is exploit potential, but it... it just feels like RTC bootstrap problem should be something solvable.

creebleOP1y ago

Isn't that a provably pointless exercise though?

Security protocols (at least the ones in common use) require certificates or keys that eventually expire, because of the risk of a permanent key being compromised. If they expire, the protocol needs time. QED.

j / k navigate · click thread line to collapse