touch-packages team mailing list archive

Thread
Date

[Bug 1039420] Re: NTP security vulnerability because not using authentication by default

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Hanno Böck <hanno@xxxxxxxxx>
Date: Sat, 20 Dec 2014 10:04:40 -0000
Reply-to: Bug 1039420 <1039420@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Has Ubuntu considered using tlsdate instead of ntp? I think it's the
only working secure solution right now.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1039420

Title:
  NTP security vulnerability because not using authentication by default

Status in ntp package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu implements so much security one way or another. So much
  defenses against network level man in the middle or malicious proxies
  or wifi hotspots. Cryptographic verification generally works well but
  there is one big drawback: it requires correct date/time.

  NTP in Ubuntu does not use any authentication by default, although it
  is supported by NTP.

  I conclude, that almost no one is using authenticated NTP, because
  there are no instructions in a forum or blog how to enable NTP
  authentication. Therefore almost everyone uses standard configuration
  and is at risk.

  An adversary can tamper with the unauthenticated NTP replies and put
  the users time several years back, especially, but not limited, if the
  bios battery or hardware clock is defect. That issue becomes more
  relevant with new devices like RP, which do not even have a hardware
  clock.

  Putting the clock several years back allows an adversary to use
  already revoked, broken, expired certificates; replay old, broken,
  outdated, known vulnerable updates etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions