Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

We\'ve recently implemented WS Trust security over SSL for our client / server c

ID: 658010 • Letter: W

Question

We've recently implemented WS Trust security over SSL for our client / server communications. Our application is used by thousands of our customers, spread out all over the world. One of the problems we've had in the past with secure communications is that customers with unsynchronized clocks have difficulty connecting, resulting in customer calls and frustration. Unfortunately, the reaction that has caused in the past is to simply disable this check or simply increase the acceptable clock skew to near infinite amounts.

I do not want the security of our system to be compromised, nor do I want to trigger an influx of complaints of customers who do not have their clocks closely in sync with the time on our servers (which are synced to internet time). In order for me to prevent the synchronization check from effectively being disabled, I must first be able to explain to my managers why this is a bad idea, and why the benefits of clock synchronization outweigh the cost of customer complaints or confusion.

1. What role does clock synchronization play in SSL communications and what sorts of vulnerabilities does disabling it introduce?
2. What is typically considered to be the maximum acceptable range for clock synchronization in secure customer facing applications?

Explanation / Answer

Simple version (for managers): Time syncs can prevent replay attacks. Without them, someone could record the packets sent between client and server, decrypt, modify data, then resend the packet stream and no one would be the wiser. But, because decryption takes time, a timestamp (validated on both sides) can indicate that the stream is a 'replay'.

Perhaps you could consider a longer timeout period for your company/application? Instead of a narrow window, you could realize some benefit by widening the window. This would have to be analyzed for its full impact on your systems, of course.

Related Questions

We\' are a sales company that produces quite personalised sales proposals for ou
Question #659389
We\'ll be learning and discussing job analysis. In your work experience, have yo
Question #355697
We\'ll use \"thousand cubic feet\" (tcf) as the quantity unit (just deal with q
Question #1198008
We\'ll use the example of an experiment like yours, but with slightly different
Question #1201402
We\'re accessing an API of a web system for obtaining product information. We re
Question #653378
We\'re all familiar with the Java package name convention of turning the domain
Question #639526
We\'re back in our bakery. Our records show that we have two sales per day 30% o
Question #437654
We\'re back in our bakery. Our records show that we have two sales per day 30% o
Question #1948416
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
We\'ve learned about PHI and how important it is to protect patient information.
Next
We\'ve seen huge growth in the computer industry in a very short time. There is

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.