Ars Technica reports on a vulnerability where unencrypted Network Time Protocol (NTP) traffic can be exploited by man-in-the-middle attacks to arbitrarily set the times of computers to cause general chaos and/or carry out other attacks, such as exploiting expired HTTPS certificates.
While NTP clients have features to prevent drastic time changes, such as setting the date to ten years in the past, the paper on the attacks presents various methods for bypassing these protections.
There is a pdf of the report available.
(Score: 2) by darkfeline on Friday October 23 2015, @02:58AM
If NTP is still unencrypted, and someone MITMs all of your connections, multiple NTP servers won't do any good.
Really, the solution to a lot of problems is to use encryption and trust signatures, it might be the next on the list, right after "make backups".
Join the SDF Public Access UNIX System today!