oss-sec mailing list archives
Re: can we talk about secure time?
From: Stuart Henderson <stu () spacehopper org>
Date: Sat, 20 Dec 2014 14:42:32 +0000
On 2014/12/20 12:27, Hanno Böck wrote:
Is there any reason not to tell everyone to use tlsdate? What's the distro's take on this? afaik many ship ntp-based solutions by default.
That won't work well for OpenBSD; libressl uses a random value instead of the timestamp. Using tlsdate against such a server: V: In TLS response, T=978796414 V: In TLS response, T=3901855112 V: In TLS response, T=602561497 V: In TLS response, T=4259017273 V: In TLS response, T=1129774656 V: In TLS response, T=2844925558 There are certainly reasons you might not want to expose exact server time of a general purpose server, e.g. passing time(NULL) to srand is very common, but that's another can of worms (we also had some changes in that area recently).. As far as NTP goes, OpenNTP does at least send cookies in some fields and check returned valuess, mitigating against blind spoofing. For sure it's not perfect, but requires no configuration and is better than not doing it.
Current thread:
- can we talk about secure time? Hanno Böck (Dec 20)
- Re: can we talk about secure time? Stuart Henderson (Dec 20)
- Re: can we talk about secure time? Daniel Kahn Gillmor (Dec 20)
- Re: can we talk about secure time? ncl () cock li (Dec 20)
- Re: can we talk about secure time? Daniel Micay (Dec 20)
- Re: can we talk about secure time? Florian Weimer (Dec 21)
- Re: can we talk about secure time? Daniel Micay (Dec 21)
- Re: can we talk about secure time? Dave Horsfall (Dec 21)
- leap seconds and security [was: Re: can we talk about secure time?] Daniel Kahn Gillmor (Dec 21)
- Re: can we talk about secure time? Florian Weimer (Dec 21)
- Re: can we talk about secure time? Hanno Böck (Dec 21)
- Re: can we talk about secure time? Kurt Seifried (Dec 21)
(Thread continues...)
- Re: can we talk about secure time? Stuart Henderson (Dec 20)