Re: timedatectl Should Not be Enabled by Default: Privacy/Anonymity risks
The attacks we are trying to protect against are described here: https://www.whonix.org/wiki/Time_Attacks The threat model are network adversaries ranging from ISP level to major ones. With mass surveillance everywhere its necessary to take this threat model into account before taking decisions about how a distro should work. On 07/27/2015 07:55 AM, intrigeri wrote: Hi, bancfc wrote (26 Jul 2015 18:19:59 GMT) : The research comes from WhonixOS a privacy centric distro like TAILS. For the record, this does not imply any position from Tails regarding this topic: the Tails threat model generally does not apply as-is to Debian. Yes I should have made that clear. I mention TAILS to tell people what Whonix is about because they might only be familiar about the former because of news stories. Also, it would be good to describe what exact threat model you see timedatectl as a security/privacy problem, so Debian has the data to evaluate if/how its default installation settings behave in that context: looking at one single potential issue in isolation does not make much sense to me, if there are potentially dozens of other ways for an attacker to do what they want. Thanks in advance! To end with, I'm wondering whether this email is really about timesyncd. Its about the threats of insecure time synchronization in general but it also concerns timesyncd that could play a part in this if enabled by default. Cheers, ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
Re: timedatectl Should Not be Enabled by Default: Privacy/Anonymity risks
Hi, bancfc wrote (26 Jul 2015 18:19:59 GMT) : The research comes from WhonixOS a privacy centric distro like TAILS. For the record, this does not imply any position from Tails regarding this topic: the Tails threat model generally does not apply as-is to Debian. Also, it would be good to describe what exact threat model you see timedatectl as a security/privacy problem, so Debian has the data to evaluate if/how its default installation settings behave in that context: looking at one single potential issue in isolation does not make much sense to me, if there are potentially dozens of other ways for an attacker to do what they want. Thanks in advance! To end with, I'm wondering whether this email is really about timesyncd. Cheers, -- intrigeri ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
timedatectl Should Not be Enabled by Default: Privacy/Anonymity risks
Its not a good idea to enable timedatectl (or any NTP daemon) by default in Debian Stretch+ because it has negative consequences for privacy and anonymity. The NTP protocol is not secure and can be trivially manipulated by network observers to mount clock skew attacks. NTPS is no better because of the broken SSL CA model. Leaking clock information about a machine can open the way for remote device fingerprinting even if they are anonymous. The research comes from WhonixOS a privacy centric distro like TAILS. ___ Pkg-systemd-maintainers mailing list Pkg-systemd-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers