I recently tested the NTP Time Synchronization Attack as described and demonstrated by Jose Selvi in 2015.
Basically, the attack was mostly used to send the victim's clock in the future, so the already cached HTTP Strict Transport Security entry could expire, and when the victim visits the website that returned the HSTS header, they will potentially make the request using HTTP instead of HTTPS. That way, the victim will give the attacker a chance to strip the HSTS header that will be returned.
It seems that the attack is no longer working on a recent GNU/Linux with up-to-date ntpd daemon.
I wonder how this got mitigated? What kind of algorithm (chain of trust, or something else) does the daemon use now to decide if the response is legitimate or spoofed one?
