adrelanos: > Jacob Appelbaum: >> I think adding an option to verify the leaf certificate's >> fingerprint, rather than just the signature alone would be a fine >> idea. > > Yes, then we could ask eff, tpo and similars about their policy to > change the certificates. If we pin their certificates, we don't have > to trust any CAs. >
I'd prefer to trust a CA (or well, Tor identity) run by EFF, Tor or someone else. >> so, it depends a lot on what you mean by "getting rid of all CAs" > > In this particlar discussion I meant "no need to use any CAs". (In > general I would be happy to see a widespread replacement for the CAs > as a whole.) > So does that mean you do or do not like DNSSEC? :) >>> And even if you use only a single source over TLS (pinned) as >>> time source... How is it better than using a single authenticated >>> NTP server over TCP? >> >> I've never seen a system that shipped with authenticated NTP >> enabled. > > It doesn't exist, unfortunately. It's also a critical security > vulnarability in all major operating system, not only for Tor users, > for anyone. No one cares about as long as no one uses it for a big > scale attack. If an attacker moves back the time several years he can > use revoked certificates. I agree. That's one of the reasons why I have been working on tlsdate. > >> I'm sure it has happened but generally, ntp is unauthenticated and >> is run as a UDP service. > > Yes. > >> I'd be interested to see a client configuration that works over TCP >> and has strong integrity protection of the remote time. > > It's certainly possible but almost no one is using it. I found two > guides about adding authenication to NTP. > https://ntp3.sp.se/howto.html > http://support.ntp.org/bin/view/Support/ConfiguringAutokey > > (Over TCP is possible as well, Google tells.) I'd like to see a normal ntp client that runs over Tor safely - can you show us an example of a way to do that? If so, I'd gladly consider running such an NTP service. I already run a normal UDP OpenNTP server in the pool. > > As Tails pointed out... > https://tails.boum.org/todo/authenticate_time_servers/ > https://tails.boum.org/contribute/design/Time_syncing/ > > The system can not be adapted since you will have a hard time finding > public, free NTP servers, which support authenitcated NTP. And even if > you find a very few, you can not rely on a small amount of servers. A > big pool is required for distribiuted trust. That's a resource issue, not a technical issue. We can solve both, I think. I'd like to know if someone has actually used normal NTP clients over Tor, even with private servers and found that it was suitable? All the best, Jacob _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
