Hi, For a while I've been interested in secure network time that would be useful for Tor users. Tor users generally need accuracy to the hour in the local system clock. That kind of clock accuracy is pretty easy to achieve with a few different hacks. Some people have taken to setting clocks with HTTP headers but I think that's a nightmare - not only because people will parse the header with questionable code but also because of latency, amongst other things.
I've implemented a bunch of network time checks[0] just for fun and the tool I wrote, teatime, is useful for looking at a server for timing information. It's just a tool for poking at systems and it's not meant to be more than an experimental tool. Feel free to submit patches for other ways to extract system time from servers types. I decided that the most reliable time channel worth using was SSL/TLS. As a result, I've also written another tool, tlsdate[1], that I regularly use for setting my own clock. It has some drawbacks. For example - it only has accuracy to the second and it uses an unintentional time channel in the TLS protocol itself. The TLS spec actually says that the ServerHello and ClientHello should contain the system time of the respective system. These records are covered by the TLS security properties - assuming the connection is somehow authenticated. Currently tlsdate only has one way to verify certificates to ensure that the connection is secure - namely, it's the usual CA racket. That's secure for certain values of secure and I think it's more secure than just running `ntpdate time.apple.com` or `rdate example.com`; any thoughts on this are welcome. Furthermore, tlsdate is parasitic - so you can easily set your clock off of https://encrypted.google.com or any other SSL/TLS enabled server. tlsdate has seen a lot of auditing and these days, it's been hacked on quite extensively by Christian Grothoff with a few minor patches from others - we'd love further people to audit the tool. I'd love some code review but also just some feedback. Would you want it to run as a system daemon? Would it be useful if it could take a list of hundreds of hosts or randomly test IP addresses? Should we extend the tool to work with STARTTLS services too? All the best, Jacob [0] https://github.com/ioerror/teatime [1] https://github.com/ioerror/tlsdate _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk