WingNews logo WingNews
top | item 13059662

(no title)

hga | 9 years ago

Classic NTP is hardly the only game in town. For example, see the NTPsec work in progress: https://www.ntpsec.org/ which I'll probably transition to someday, maybe even get an el-cheapo GPS receiver now that I'm not effectively living in a basement.

And I've personally be using chrony for a while, although my needs are significantly less than whatever level of accuracy it provides. There are some other clients out there as well, such as OpenBSD's OpenNTPD, although I have a vague memory of it having issues of precision, congruent with the distribution's focus on security.

discuss

order

throwbsidbdk|9 years ago

My biggest issue with NTP is little control over who runs the servers. Unlike the CA system that has checks in place against bad actors, practically anyone can run an NTP pool.

It was discovered a while ago for example that some part of the Linux default NTP servers are run by shodan. So when your machine gets the time it lets shodan know you've got a server running so they can port scan you.

It would be stupid not to run a bunch of NTP servers if you wanted a to run a bot net. A free list of every running Linux server and countless IoT devices! Without having to actively scan IP space at all

lgas|9 years ago

NTP is more analogous to an SMTP server, HTTP server or any of the other myriad servers anyone can run on the internet with absolutely no vetting. The CA system is something different entirely. If you're confident that an NTP server is safe, don't use it. The same you would do with a potentially malicious website.

sliken|9 years ago

NTP is hierarchical. If you run a large organization generally you run a few NTP servers that talk to the internet. Then you setup your local nodes to talk to your NTP servers.

So it's hardly "a list of every running linux server".

ploxiln|9 years ago

Hmm does ntpsec only test their website with Chrome? Firefox says "Secure Connection Failed ... The OCSP server suggests trying again later." I guess that's one of the reasons Chrome TLS devs say online (looked-up on-demand) certificate revocation is useless.