Network Time Protocol Hardened To Protect Users From Spying, Increase Privacy

AmiMoJo quotes the Register: The Internet Engineering Task Force has taken another small step in protecting everybody's privacy... As the draft proposal explains, the RFCs that define NTP have what amounts to a convenience feature: packets going from client to server have the same set of fields as packets sent from servers to clients... "Populating these fields with accurate information is harmful to privacy of clients because it allows a passive observer to fingerprint clients and track them as they move across networks".

The header fields in question are Stratum, Root Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, and Receive Timestamp. The Origin Timestamp and Receive Timestamp offer a handy example or a "particularly severe information leak". Under NTP's spec (RFC 5905), clients copy the server's most recent timestamp into their next request to a server – and that's a boon to a snoop-level watcher.
The proposal "proposes backward-compatible updates to the Network Time Protocol to strip unnecessary identifying information from client requests and to improve resilience against blind spoofing of unauthenticated server responses." Specifically, client developers should set those fields to zero.

proposal, should, and all that.

[turkeydance]

set those fields to zero.

I have since long given up on other peoples NTP.

[Anonymous Coward]

http://www.leobodnar.com/shop/... [leobodnar.com]

Stratum1 FTW!

Re:

[AK Marc]

If you are going to trust the government for your time, you have no trust in your time. You might as well manually synchronize with an atomic clock once every month as your internal time source won't lose +- 5 min in a month (unless there's a serious problem with the system clock), and drift isn't a "real" problem if everyone in the same security domain is drifting together.

Re:

[Anonymous Coward]

I assume you mean because GPS is run by government? Meh. as long as governments (mulitple) are using the same time source I actually trust it quite a bit. Besides, atomic clocks essentially mean trusting government too... they are ALL either directly or indirectly funded by governments, even one you buy yourself for personal use.

Re:

[AK Marc]

The government could turn off the NIST atomic clock, but couldn't turn off the ones in universities or the like. GPS is explicitly run by the US government, and has been tweaked to reduce its efficiency.

Re: I have since long given up on other peoples NT

[adolf]

My stratum 1 server also receives timing from the Russian glonass constellation. American GPS is not the only game in town, and hasn't been for many years.

Re:

[drinkypoo]

Wowsers that's a lot of money. You can get PPS out of neo8m

Re:

[arglebargle_xiv]

Nice, but pretty pricey. Not quite in the league of a Symmetricom privewise, but getting close. I'm running more or less the same thing but without the OLED display at 1/10th the price. Unfortunately the guy who made them on Tindie seems to have gone away, so I can't provide a link.

Re:

[driblio]

Check your protocols.

Actually, establishing (and tearing down) an encrypted TCP channel is far less simple than UDP based ntp.

The open port isn't a requirement, but it is how ntp does the important (and complicated) part - establishing what the real time actually is, without blind faith in just one other server.

Re:

[Zero__Kelvin]

Ignoring for the moment what a bad idea that would be, how do you plan on doing HTTP without a port open?

Re:

[dcollins117]

IP over Avian Carriers [wikipedia.org]

Local NTP is probably a bit more secure

[RevDisk]

I just use a GPS attachment. Well, GPS, GLONASS and Galileo. With a tiny bit of code to verify location checks out, math wise it'd be tricky to spoof. If my building moves by any significant amount, I'm fairly sure there's a problem of some sort that needs my attention. Spoofing the time and getting the locational data from all three providers to match would be kinda an impressive mathematical exercise. Plus, any domestic GPS spoofing will bring the anger of the FCC on someone and never underestimate interdepartment bureaucracy fury. It's kinda unlikely unless you're in a very high security environment.

Very simple to code. Cost me $50, and pretty much only because I wanted one that could handle multiple constellations. Or buy one off the shelf. More expensive, less work.

Re:

[sjames]

Just be sure to avoid setting your watch during an earthquake.

Re:

[RevDisk]

If the antenna position moves more than 10 feet, I have other concerns. ;)

Use HTTPS over UDP

[hcs_$reboot]

HTTPS over UDP [stackexchange.com]

Perhaps a better solution

[jmcharry]

Fill the fields with plausible garbage. If the data has no legitimate usage, poison it.

Re:

[Anonymous Coward]

But if everyone's garbage is different it's unique, and thus identifying, information.

Re:

[Archfeld]

Fill the fields with random garbage each time a request is made. That way you create more and more seemingly unique entities to track. If you can't beat/avoid the DB, fill it with garbage.

Slippery Jim DiGriz
https://en.wikipedia.org/wiki/... [wikipedia.org]

Re: When time.windows.com...

[Zero__Kelvin]

The hope that ignorant people will stop thinking Microsoft is competent? Double points for not thinking they must be competent because they are "big".

Re:

[arglebargle_xiv]

OTP (Office Time Protocol) predates even that one by decades, and is probably more accurate than Microsoft's NTP:

Hey Jim, what time is it?
About five-ish
Beer o'clock?
Yeah, about that.

Never failed so far.

Re:

[arglebargle_xiv]

It's not just that, in a domain you've actually got CTP, Clusterfuck Time Protocol. Let's see, we'll all sync to that backup domain controller over there, which is sync'd to another BDC, one of which syncs to the PDC, which in turn syncs to a different BDC. Having that lot settling on a time is like watching a bunch of rednecks debate how gravity waves work, they eventually converge on some sort of solution but it sure ain't the solution that anyone else is on.

Re:

[hcs_$reboot]

can't even get the time correct, we should be focusing on reliability instead of security.

That's a normal behavior. Windows has always been a few years behind.

Watch very closely.

[WolfgangVL]

Anytime anybody says they are doing something "to protect you from spying" or to "increase your privacy" You would do well to watch very closely and try to read between the lines. Sometimes your just a paranoid nutcase. Sometimes.

Simple solutions

[LostMyBeaver]

Time related issues are easy to solve. The real problem is that no one wants to pay a few bucks for accurate time since probably 99% or more of all systems synchronizing time probably don't need better than the correct second... forget milliseconds or better.

So here's the thing. Replace NTP as the wide spread time protocol with one that uses a round trip timer over HTTPS for get time requests and changes are the precision is good enough.

Most enterprise and industrial environments don't need precision time,

Re:

[Zero__Kelvin]

"Of course, synchronizing against a server is stupid since time on Windows and Linux is generally REALLY bad because they're running on general purpose operating systems without real-time extensions, so clock drift is a reality."

Linux doesn't need "real time extensions". Linux has had soft realtime support in the mainline kernel for a frigging decade. Furthermore, clock drift is "a thing" everywhere. If it were not then there would be no need for NTP.

"Now, the Cisco solution is nice because you can stick a

Re:

[Dog-Cow]

It's amusing that you think being real-time has anything to do with keeping time.