On Tue, Nov 25, 2014 at 02:35:12PM -0700, Chris Murphy wrote: > On Tue, Nov 25, 2014 at 10:51 AM, Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > Some networks have bad NTP service in the sense that they hand out incorrect > > time (not just off by a few seconds, but days or months, enough to skew > > certificate validity). > > I'm not sure what we're supposed to do about such sabotage on the > network, that seems distinctly a local issue. We should do the best we > can right now, while providing a manual switch for the user to alter > the default. > > It used to be the case that we used these servers: > 0.fedora.pool.ntp.org > 1.fedora.pool.ntp.org > 2.fedora.pool.ntp.org > 3.fedora.pool.ntp.org We still do. Unless the number of bad servers added from DHCP is large enough to disrupt the NTP source selection algorithm or the pool servers are not reachable (NTP traffic blocked), it shouldn't be a big problem. Of course, without authentication this can't reliably protect against MITM attacks. > > Now if Fedora offered a high-availability cryptographic time service (we > > actually do, sort of), things might be different—but not much, because then > > we'd be having a discussion about phoning home instead. > > The pool still exists. Are we not supposed to use them? I think Florian meant getting time over HTTPS from a Fedora server. The tlsdate program could be used for that. I'm not sure what resources would be needed to allow this to be enabled by default. The NTP Autokey protocol would be probably more efficient (and accurate), unfortunately it doesn't work behind NAT. -- Miroslav Lichvar -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
