[tor-talk] secure and simple network time (hack)

Jacob Appelbaum jacob at appelbaum.net
Mon Feb 20 20:30:08 UTC 2012


Hi,

For a while I've been interested in secure network time that would be
useful for Tor users. Tor users generally need accuracy to the hour in
the local system clock. That kind of clock accuracy is pretty easy to
achieve with a few different hacks. Some people have taken to setting
clocks with HTTP headers but I think that's a nightmare - not only
because people will parse the header with questionable code but also
because of latency, amongst other things.

I've implemented a bunch of network time checks[0] just for fun and the
tool I wrote, teatime, is useful for looking at a server for timing
information. It's just a tool for poking at systems and it's not meant
to be more than an experimental tool. Feel free to submit patches for
other ways to extract system time from servers types. I decided that the
most reliable time channel worth using was SSL/TLS.

As a result, I've also written another tool, tlsdate[1], that I
regularly use for setting my own clock. It has some drawbacks. For
example - it only has accuracy to the second and it uses an
unintentional time channel in the TLS protocol itself. The TLS spec
actually says that the ServerHello and ClientHello should contain the
system time of the respective system. These records are covered by the
TLS security properties - assuming the connection is somehow authenticated.

Currently tlsdate only has one way to verify certificates to ensure that
the connection is secure - namely, it's the usual CA racket. That's
secure for certain values of secure and I think it's more secure than
just running `ntpdate time.apple.com` or `rdate example.com`; any
thoughts on this are welcome. Furthermore, tlsdate is parasitic - so you
can easily set your clock off of https://encrypted.google.com or any
other SSL/TLS enabled server.

tlsdate has seen a lot of auditing and these days, it's been hacked on
quite extensively by Christian Grothoff with a few minor patches from
others - we'd love further people to audit the tool.

I'd love some code review but also just some feedback. Would you want it
to run as a system daemon? Would it be useful if it could take a list of
hundreds of hosts or randomly test IP addresses? Should we extend the
tool to work with STARTTLS services too?

All the best,
Jacob

[0] https://github.com/ioerror/teatime
[1] https://github.com/ioerror/tlsdate


More information about the tor-talk mailing list