SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
SoylentNews
posted by
martyb
on Thursday October 22 2015, @10:44PM
from the does-anyone-really-know-what-time-it-is? dept.
from the does-anyone-really-know-what-time-it-is? dept.
Ars Technica reports on a vulnerability where unencrypted Network Time Protocol (NTP) traffic can be exploited by man-in-the-middle attacks to arbitrarily set the times of computers to cause general chaos and/or carry out other attacks, such as exploiting expired HTTPS certificates.
While NTP clients have features to prevent drastic time changes, such as setting the date to ten years in the past, the paper on the attacks presents various methods for bypassing these protections.
There is a pdf of the report available.
This discussion has been archived.
No new comments can be posted.
New Attacks on Network Time Protocol can Defeat HTTPS and Create Chaos
|
Log In/Create an Account
| Top
| 19 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
"Don't talk to me about disclaimers! I invented disclaimers!"
-- The Censored Hacker
(Score: 2) by Hyperturtle on Friday October 23 2015, @06:18PM
Right, I avoided using the public pools because those are what were cited as being vulnerable. Someone between you and them can alter your NTP because it isn't local, set back your clock, and then present you an invalid expired fake certficate that suddenly is more valid than it was before, since the time is now showing it's a valid cert and there was no way to protect the NTP exchange in the pools.
Almost anything over the internet is the problem, because NTP is generally not encrypted. If you said to use an IPSEC tunnel to a place that had time, then sure. But I do not agree with your suggestion because it is the dependency on such that has perpetuated the ability to cause problem cited.
Keeping it local is why I suggested it.
There are atomic clocks that are heinously expensive and over kill, and there clocks that use GPS to sync with satellites and have a 10 megabit network connection for not that much money... you just have to not have 10 floors of metal blocking that signal.
atomic clocks for network time also are available for a few thousand dollars and less.
I do realize that many places with a few servers--do not have a few thousand for an atomic clock. Heck I dont have one, but it would be cool to get a nixie tube one :)
Part of my disconnect is that I do not have a good grasp on the workplace people here have, and such costs may be pure fantasy for them, as they were for you. I don't want to discount such ideas under the assumption everything has to be done on the cheap, but I also provided cheap ways to do it. I am guessing you don't have a phone system managed by one vendor, a data network by another, and windows by other people.
Many places have desk phones that display a different time than the desk computers, which also is different from the the cell phone in your pocket.
When there is an issue, checking logs on network hardware to compare who came in when and on what -- oh look the network is 12 minutes off and the servers are 5 minutes off and the phones are 2 minutes off from the servers and wait what was the central NTP time source? it went through the compromised firewall?
These are concerns I have to deal with, so I try to contain the time locally, while using a single host or two to pull time from trusted resources and then set those devices as ntp servers.
There is no way I would let everything on the network pull time from some outside place, even if it is convenient. It may be low priority to correct, but I ultimately want control of the time done locally, and the actual time servers themselves -- I have options and is not too hard to set up, either with a dedicated device or reliance on the ISP router.
If you have an MPLS cloud, often those telco routers are great for this because they often themselves are synced to an atomic clock at the ISP or paid for to access by the ISP, and you can get the benefit of a high stratum time source by proxy of using the telco router. Note I say telco, not internet. Having internet access doesn't mean using the internet to get that access to NTP -- you likely can access telco specific routers within their network prior to passing their network edge to reach the internet, or in MPLS, just in their local cloud anyway and never come close to the internet.
Anyway, there are many options. It can be made harder than it has to be, yes, but I wanted to avoid the really easy solution because the problem was that solution. It wasn't that there is no time, its that the time itself is insecure and using public resources to get time is to be trusted as a convenience at best without further administrative correction.