[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Tails-dev] secure and simple network time (hack)

> Jacob Appelbaum:
>> I think adding an option to verify the leaf certificate's
>> fingerprint, rather than just the signature alone would be a fine
>> idea.
> Yes, then we could ask eff, tpo and similars about their policy to
> change the certificates. If we pin their certificates, we don't have
> to trust any CAs.

I'd prefer to trust a CA (or well, Tor identity) run by EFF, Tor or
someone else.

>> so, it depends a lot on what you mean by "getting rid of all CAs"
> In this particlar discussion I meant "no need to use any CAs". (In
> general I would be happy to see a widespread replacement for the CAs
> as a whole.)

So does that mean you do or do not like DNSSEC? :)

>>> And even if you use only a single source over TLS (pinned) as
>>> time source... How is it better than using a single authenticated
>>> NTP server over TCP?
>> I've never seen a system that shipped with authenticated NTP
>> enabled.
> It doesn't exist, unfortunately. It's also a critical security
> vulnarability in all major operating system, not only for Tor users,
> for anyone. No one cares about as long as no one uses it for a big
> scale attack. If an attacker moves back the time several years he can
> use revoked certificates.

I agree. That's one of the reasons why I have been working on tlsdate.

>> I'm sure it has happened but generally, ntp is unauthenticated and
>> is run as a UDP service.
> Yes.
>> I'd be interested to see a client configuration that works over TCP
>> and has strong integrity protection of the remote time.
> It's certainly possible but almost no one is using it. I found two
> guides about adding authenication to NTP.
> https://ntp3.sp.se/howto.html
> http://support.ntp.org/bin/view/Support/ConfiguringAutokey
> (Over TCP is possible as well, Google tells.)

I'd like to see a normal ntp client that runs over Tor safely - can you
show us an example of a way to do that? If so, I'd gladly consider
running such an NTP service. I already run a normal UDP OpenNTP server
in the pool.

> As Tails pointed out...
> https://tails.boum.org/todo/authenticate_time_servers/
> https://tails.boum.org/contribute/design/Time_syncing/
> The system can not be adapted since you will have a hard time finding
> public, free NTP servers, which support authenitcated NTP. And even if
> you find a very few, you can not rely on a small amount of servers. A
> big pool is required for distribiuted trust.

That's a resource issue, not a technical issue. We can solve both, I
think. I'd like to know if someone has actually used normal NTP clients
over Tor, even with private servers and found that it was suitable?

All the best,
tor-talk mailing list