undefined | Better HN

0 pointsoefrha2y ago0 comments

What clock attack? You validate the timestamp on the server and reject if the timestamp is too far off. The same request being repeatable within say 30s isn’t a problem in 99% of cases.

0 comments

apitman2y ago

I'm referring to threat models where the attacker might be able to manipulate time on the server, either directly or through NTP servers, etc. Personally it's not something I would worry about but I've heard it discussed and was wondering how big a concern it is.

oefrhaOP2y ago

Well, then you still end up more secure than a regular session token.

j / k navigate · click thread line to collapse

0 pointsoefrha2y ago0 comments

What clock attack? You validate the timestamp on the server and reject if the timestamp is too far off. The same request being repeatable within say 30s isn’t a problem in 99% of cases.

0 comments

apitman2y ago

oefrhaOP2y ago

Well, then you still end up more secure than a regular session token.

j / k navigate · click thread line to collapse