[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [Tails-dev] secure and simple network time (hack)

> Jacob Appelbaum:
>> So does that mean you do or do not like DNSSEC? :)
> Can't say, I didn't dig into that deep enough.

In a sense, we can compare the root ('.') to a single CA that can
further delegate to other CAs such as '.se' and so on.

>> I'd like to see a normal ntp client that runs over Tor safely - can
>> you show us an example of a way to do that? If so, I'd gladly
>> consider running such an NTP service. I already run a normal UDP
>> OpenNTP server in the pool.
>>> The system can not be adapted since you will have a hard time
>>> finding public, free NTP servers, which support authenitcated
>>> NTP. And even if you find a very few, you can not rely on a small
>>> amount of servers. A big pool is required for distribiuted
>>> trust.
>> That's a resource issue, not a technical issue. We can solve both,
>> I think. I'd like to know if someone has actually used normal NTP
>> clients over Tor, even with private servers and found that it was
>> suitable?
> Ok, I am sorry, I messed up. There is no way to run NTP *directly*
> over TCP. I found the following interesting posts about this issue:
> http://lists.ntp.org/pipermail/questions/2007-October/015832.html
> http://lists.ntp.org/pipermail/questions/2007-October/015834.html
> http://lists.ntp.org/pipermail/questions/2007-October/015859.html

That's what I thought.

> We could run NTP over Tor, if we tunnel UDP over OnionCat. Due to
> usage of hidden services, Tor would provide authentication. (NTP
> autokey could be added for another layer of authenication.) But it
> were NTP over TCP over UDP, which wouldn't be (according to the posts
> above) exact as ordinary NTP over TCP.

Wow - talk about a hack!

> I don't know how less accurate it were and if that is a good idea or
> not. Or if we find willing people to run it. Please discuss. If there
> is intererest, it could be tried to develop some instructions how to
> provide NTP as hidden service and share the result in the tpo wiki.

It seems like providing a simple phase locked loop over TCP isn't that
hard to do.

All the best,

tor-talk mailing list