On Wed, Mar 02, 2016 at 02:24:08PM +0000, Juhasz Gabor wrote: > Hi All, > > According to this comparison : http://chrony.tuxfamily.org/comparison.html > the chrony does not support "Extra timestamp validation" at "NTP Client > section". > > Is there any plan to put this feature into chrony in the future?
There is currently no plan to add support for HTTPS as an authenticated time source to validate NTP timestamps. The plan is to implement the new Network Time Security protocol [1]. It should be a proper NTP authentication using public-key crypto. It should be much more accurate and efficient than HTTPS. The specification is still a work in progress, but I think it may already be in a state where it's possible to start working on an implementation for chrony. If you need something now and don't care much about efficiency, you could combine a SHM refclock using HTTPS date with NTP sources to get something similar to what openntpd does. Omnisync [2] is a SHM refclock that can use HTTPS. It doesn't seem to check how long the HTTP request took, so a MITM attacker could possibly insert a large offset to the measurement by delaying the packets. That shouldn't be difficult to fix. I think it just needs to check if the request didn't take more than say one second. [1] https://datatracker.ietf.org/wg/ntp/documents/ [2] https://www.vanheusden.com/time/omnisync/ -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
