Slashdot Mirror
Network Time Protocol Hardened To Protect Users From Spying, Increase Privacy (theregister.co.uk)
AmiMoJo quotes the Register: The Internet Engineering Task Force has taken another small step in protecting everybody's privacy... As the draft proposal explains, the RFCs that define NTP have what amounts to a convenience feature: packets going from client to server have the same set of fields as packets sent from servers to clients... "Populating these fields with accurate information is harmful to privacy of clients because it allows a passive observer to fingerprint clients and track them as they move across networks".
The header fields in question are Stratum, Root Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, and Receive Timestamp. The Origin Timestamp and Receive Timestamp offer a handy example or a "particularly severe information leak". Under NTP's spec (RFC 5905), clients copy the server's most recent timestamp into their next request to a server – and that's a boon to a snoop-level watcher.
The proposal "proposes backward-compatible updates to the Network Time Protocol to strip unnecessary identifying information from client requests and to improve resilience against blind spoofing of unauthenticated server responses." Specifically, client developers should set those fields to zero.
The header fields in question are Stratum, Root Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, and Receive Timestamp. The Origin Timestamp and Receive Timestamp offer a handy example or a "particularly severe information leak". Under NTP's spec (RFC 5905), clients copy the server's most recent timestamp into their next request to a server – and that's a boon to a snoop-level watcher.
The proposal "proposes backward-compatible updates to the Network Time Protocol to strip unnecessary identifying information from client requests and to improve resilience against blind spoofing of unauthenticated server responses." Specifically, client developers should set those fields to zero.
#MAGA
set those fields to zero.
http://www.leobodnar.com/shop/...
Stratum1 FTW!
If you are going to trust the government for your time, you have no trust in your time. You might as well manually synchronize with an atomic clock once every month as your internal time source won't lose +- 5 min in a month (unless there's a serious problem with the system clock), and drift isn't a "real" problem if everyone in the same security domain is drifting together.
Learn to love Alaska
Is there any necessity for a computer system to have a port open and listening all the time? Surely doing a time update should only be as simple as making an HTTPS GET request?
I assume you mean because GPS is run by government? Meh. as long as governments (mulitple) are using the same time source I actually trust it quite a bit. Besides, atomic clocks essentially mean trusting government too... they are ALL either directly or indirectly funded by governments, even one you buy yourself for personal use.
I just use a GPS attachment. Well, GPS, GLONASS and Galileo. With a tiny bit of code to verify location checks out, math wise it'd be tricky to spoof. If my building moves by any significant amount, I'm fairly sure there's a problem of some sort that needs my attention. Spoofing the time and getting the locational data from all three providers to match would be kinda an impressive mathematical exercise. Plus, any domestic GPS spoofing will bring the anger of the FCC on someone and never underestimate interdepartment bureaucracy fury. It's kinda unlikely unless you're in a very high security environment.
Very simple to code. Cost me $50, and pretty much only because I wanted one that could handle multiple constellations. Or buy one off the shelf. More expensive, less work.
Fill the fields with plausible garbage. If the data has no legitimate usage, poison it.
can't even get the time correct, we should be focusing on reliability instead of security. I don't care as much about security when my hourly processes run more than once because Microsoft's NTP can't even get time right. We double-charged a few hundred customers because of the problem Microsoft created.
Wowsers that's a lot of money. You can get PPS out of neo8m
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Patrick, is that you?
Anytime anybody says they are doing something "to protect you from spying" or to "increase your privacy" You would do well to watch very closely and try to read between the lines. Sometimes your just a paranoid nutcase. Sometimes.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
Time related issues are easy to solve. The real problem is that no one wants to pay a few bucks for accurate time since probably 99% or more of all systems synchronizing time probably don't need better than the correct second... forget milliseconds or better.
So here's the thing. Replace NTP as the wide spread time protocol with one that uses a round trip timer over HTTPS for get time requests and changes are the precision is good enough.
Most enterprise and industrial environments don't need precision time, but instead need consistent time. So, running a local time server is optimal. Windows domain services does time as well, so once computers are domain joined, they sync against the AD server and so long as the AD server is correct, then all the PCs should be synced against the AD.
This is where there could be a problem. NTP has no security so wherever possible, it is preferable to run NTP over IPv6 with encryption enabled. This should be true for most enterprise traffic today. If nothing else, placing the AD server in an IPv6 only domain and requiring DirectAccess when IPv6 isn't available will secure the connection. And it's generally better than most systems like Cisco, Palo Alto, Checkpoint and open source solutions since every time there's a Windows update that fixes VPN bugs, the VPN is policy based, so both the client and server are updated and then reconfigured to secure the link. It's stupid how many people still run AD on IPv4 when running it on IPv6 is a millions time better... ESPECIALLY when IPv6 isn't available and DirectAccess needs to be used.
Of course, synchronizing against a server is stupid since time on Windows and Linux is generally REALLY bad because they're running on general purpose operating systems without real-time extensions, so clock drift is a reality. There's also the issue of non-deterministic packet processing latency. For this reason, using an older Cisco router (running IOS, not IOS-XE) is a good idea. These cost $20-$100 on eBay. Cisco has classically had pretty good NTP implementations even if they generally aren't very secure. This solution is a much better option than server syncing. Of course, if all you have is modern equipment, you don't want to use Cisco IOS-XE devices since Cisco did a half-assed job on real-time Linux (try BFD out on XE and you'll see what I mean).
Now, the Cisco solution is nice because you can stick a few cheap IOS based devices at the edge of the network, peer them to each other and sync them against NTP and you're good to go. The entire configuration with security (what little you can get with NTP and less with Cisco) should take 10-15 minutes if the Cisco guy knows his stuff... good luck with that.
If your an enterprise that considers time to be more important than just per second resolution... then it's time for a proper time server.
http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html
That's currently my favorite option as it's dirt cheap, GPS sync'd and very simple... and it's almost 100% guaranteed to be a better option than buying expensive devices from somewhere else.
$200 per server, get two of these per location and configure them properly to include NTP peering and run your own "master".
HTTPS over UDP
Slashdot, fix the reply notifications... You won't get away with it...
Nice, but pretty pricey. Not quite in the league of a Symmetricom privewise, but getting close. I'm running more or less the same thing but without the OLED display at 1/10th the price. Unfortunately the guy who made them on Tindie seems to have gone away, so I can't provide a link.
Check your protocols.
Actually, establishing (and tearing down) an encrypted TCP channel is far less simple than UDP based ntp.
The open port isn't a requirement, but it is how ntp does the important (and complicated) part - establishing what the real time actually is, without blind faith in just one other server.
Ignoring for the moment what a bad idea that would be, how do you plan on doing HTTP without a port open?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
IP over Avian Carriers
The article doesn't mention any exploits, or reference any recent disclosures about CIA/NSA tracking software. Is this just preventative? Or has it been used? One place I can see this being an issue is for TOR clients -- if you're foolish to let your ntp out they may be able to track you between exit nodes -- not good. Interestingly governments are big TOR users (google if you don't believe me).
You are not required to fill these fields on the client. The server sends them back to you to enable the development of simple stateless clients, where you send the packets first and then decode the replies. Some NTP implementations (eg chrony) already leave the unneeded TX/RX timestamp out (it is filled with a nonce, for further protection against spoofing).
You should be careful with zeroing reference id, root delay and dispersion. Some enterprise NTP monitoring solutions use this to detect client problems. Of course, if you have a system like this you are using your own stratum 1 servers and don't really care about identifying data within your own network.
The government could turn off the NIST atomic clock, but couldn't turn off the ones in universities or the like. GPS is explicitly run by the US government, and has been tweaked to reduce its efficiency.
Learn to love Alaska
My stratum 1 server also receives timing from the Russian glonass constellation. American GPS is not the only game in town, and hasn't been for many years.
Kid-proof tablet..