Please excuse that I wasted your time. You're absolutely right. The only thing that comes to my mind is that one could add something like a small notice that tells the new user to maybe alter his ntpd constraints to a "TLS-Provider" that resides in his time zone. A good place for that could be the welcoming mail, which already describes some first steps.
On Sat, Dec 07, 2019 at 11:25:48AM -0700, Theo de Raadt wrote: > >That might be the case. > >The man page creates the impression that my ntpd will carry out a TLS > >Handshake with "https://www.google.com". Out of that handshake (because > >it is anycast) you get your approximate local time. Which serves as > >vague measuring point for answers by the ntp servers that you are > >querying. But the suggestion I made is absolutely 100 % wrong. > > > >Would it be an option to choose another Anycast resolving address ? > >For example akami.net ? > > akami.net has no https. > maybe you mean akamai.net? again, no https. > > many akamai services come out of less capable caches, not making the > same effective certificate promises as the google front-end. would > you notice if an akamai service did a certificate downgrade? not > really. i don't think the proposal is serious. > > as a result we use quad9 and google https because their global > adjacency is excellent, and then we are avoiding cloudflare https > because we added their ticker in the mix (though their anycast ticker > is a very weird thing) > > >g Stephan > > > >On Thu, Dec 05, 2019 at 03:03:43PM -0700, Theo de Raadt wrote: > >> I guess you don't understand what is going on there. > >> > >> List <l...@md5collisions.eu> wrote: > >> > >> > Hello, > >> > > >> > here a diff replacing www.google.com as a default time constraint by > >> > www.openbsd.org. > >> > It is claimed that OpenBSD would have sane and secure defaults. While > >> > www.google.com might be secure it ain't sane from a privacy concerned > >> > perspective. Therefore the diff. > >> > > >> > Regards, > >> > Stephan > >> > > >> > Index: etc/ntpd.conf > >> > =================================================================== > >> > RCS file: /cvs/src/etc/ntpd.conf,v > >> > retrieving revision 1.16 > >> > diff -u -p -r1.16 ntpd.conf > >> > --- etc/ntpd.conf 6 Nov 2019 19:04:12 -0000 1.16 > >> > +++ etc/ntpd.conf 5 Dec 2019 21:36:57 -0000 > >> > @@ -8,4 +8,4 @@ sensor * > >> > > >> > constraint from "9.9.9.9" # quad9 v4 without DNS > >> > constraint from "2620:fe::fe" # quad9 v6 without DNS > >> > -constraints from "www.google.com" # intentionally not 8.8.8.8 > >> > +constraints from "www.openbsd.org" # intentionally not Google > >> > > >> > >