Tuesday, March 10, 2026

Re: messaging

* hahahahacker2009 <hahahahacker2009@gmail.com> [2026-03-10 07:03]:
> I will provide some context about the suggestion to disable NTP.
>
> It is possible that bios_23498234908@proton.me came from one of the
> following ``privacy security'' communities (most suspected first)

bad advice is bad advice, no matter from whom.

> The first 4 communities agreed that NTP is not secure:
> > The most popular time synchronisation method, NTP, is insecure,
> > as it is unencrypted and unauthenticated, allowing an attacker to
> > trivially intercept and modify requests.

not true for OpenNTPD.
while it is unencrypted and not authenticated there is the cookie
embedded in OpenNTPD's requests that an attacker would have to guess
correctly, and the replies are matched against the window determined
via https, limiting the damage an attacker can do to pretty much
negligible, provided the https-determined time is reliable.

> > NTP also leaks your local
> > system time in NTP timestamp format, which can be used for
> > clock skew fingerprinting, as briefly mentioned before.

not true for OpenNTPD.

/*
* Send out a random 64-bit number as our transmit time. The NTP
* server will copy said number into the originate field on the
* response that it sends us. This is totally legal per the SNTP spec.
*
* The impact of this is two fold: we no longer send out the current
* system time for the world to see (which may aid an attacker), and
* it gives us a (not very secure) way of knowing that we're not
* getting spoofed by an attacker that can't capture our traffic
* but can spoof packets from the NTP server we're communicating with.
*
* Save the real transmit timestamp locally.
*/

p->query.msg.xmttime.int_partl = arc4random();
p->query.msg.xmttime.fractionl = arc4random();
p->query.xmttime = gettime();

if (ntp_sendmsg(p->query.fd, NULL, &p->query.msg) == -1) {

in essence: you and the other guy have a lot of opinion on something
you have very, very little knowledge about. a bad combo in my book.

henning

--
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)