Just two notes on this:
a) This problem is likely going to increase because of ocsp stapling.
The stapled ocsp responses have much shorter validity timespans. (I
already had one customer where this was likely the issue.)
b) Wrong clocks can also be a security issue. MitM attacks on NTP can
circumvent HSTS. See
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
https://github.com/PentesterES/Delorean
A time sanity check in the browser could be a good idea. I already
thought of that after the blackhat/hsts talk.
Chrome is already probably doing connects to some google domains on
startup to check for updates, blacklists, ... - it could throw a
warning if the timestamp of the https reply differs significantly from
the system time.
To fully protect against the HSTS attack it would however also have to
monitor unusual time changes at runtime.
Appart from that: NTP needs to die and be replaced with secure
solutions (tlsdate is a good choice). But that's out of scope for a
browser.
--
Hanno Böck
http://hboeck.de/
mail/jabber:
ha...@hboeck.de
GPG: BBB51E42