Package: ntp Version: 1:4.2.6.p3+dfsg-1ubuntu3.1 Severity: normal Tags: security
Debian implements so much security one way or another. So much defenses against network level man in the middle or malicious proxies or wifi hotspots. Cryptographic verification generally works well but there is one big drawback: it requires correct date/time. NTP in Debian does not use any authentication by default, although it is supported by NTP. I conclude, that almost no one is using authenticated NTP, because there are no instructions in a forum or blog how to enable NTP authentication. Therefore almost everyone uses standard configuration and is at risk. An adversary can tamper with the unauthenticated NTP replies and put the users time several years back, especially, but not limited, if the bios battery or hardware clock is defect. That issue becomes more relevant with new devices like RP, which do not even have a hardware clock. Putting the clock several years back allows an adversary to use already revoked, broken, expired certificates; replay old, broken, outdated, known vulnerable updates etc. Suggested solutions: - NTP supports public and private keys: http://doc.ntp.org/4.1.0/genkeys.htm Use it. - Write easy documentation how to host an authenticated NTP server. - Write easy documentation how to use an authenticated NTP server. - Add gui optoins for using authenticated NTP. - Debian could run their own authenticated NTP server. - Debian has importance. You could officially ask the NTP pool if they could add authentication. - Debian could publicly the problem and ask the community for help. - I am sure some NTP server volunteers would like to add authentication, if you can provide clear instructions for them. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org