Support Network Time Security (NTS)
Brought to you by:
ghjm
Menu
▾
▴
#40 Support Network Time Security (NTS)
I would like to suggest the implementation of "Network Time Security (NTS)"
RFC 8915 https://www.rfc-editor.org/info/rfc8915 on the NetTime.
These brings a way to have a secure source of information not so easy to manipulate by someone on the middle of the connection between the user device and the time server.
Servers that support Network Time Security (NTS):
time.google.com (leap second is a problem here because of the way Google handles it)
time.cloudflare.com
time.nist.gov
ptbtime1.ptb.de
ptbtime2.ptb.de
ptbtime3.ptb.de
ptbtime4.ptb.de
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnod.se
ntp.trifence.ch
ntp.zeitgitter.net
ntp.3eck.net
and likely more.
It would be nice for NetTime to be able to access several servers to see what is the reported difference and allow to have the local Windows machine updated with the most correct time possible, meaning it will take all values and take into account what is the most common value and ignore values to distant, should there be a problem with or more servers these will prevent the local machine from sync using a bad source, if several sources are used to do the check.
Hi Joao,
I'll look at adding NTS support to a future version of NetTime. If configured with multiple servers, NetTime will already check with additional servers if there is a large time disparity between the current time on the server and time returned by the first server and then ignore any time that is too far out.
Hello Mark Griffiths,
Thanks for the answer. I hope it can be added in the near future as there isn't any native program for Windows that supports Network Time Security (NTS).
I understand the explanation. My idea would be for the NetTime to have the option to test several servers to see what is the time that the SERVERS agree is the correct one, of course taking into account that one or more servers may not agree with what is the correct hour for several reasons, but these would be taking into account by the program, and the more servers it can check more easy should be to detect what clocks are really correct.
These is what experts agree: https://www.netnod.se/blog/best-practices-connecting-ntp-servers "1. How many NTP servers should I use?" "(...) If you have only one clock, that is the only one you can trust. If you have two and they start to show different times, it is difficult to know which one has gone wrong. To guarantee accuracy, you need at least three clocks. If two of them show the same time, you can be relatively sure when the third clock has gone wrong. The more clocks you have showing the same time, the more sure you can be that they are right and that any clock showing a different time is incorrect.The same principle holds true for getting time over the Network Time Protocol (NTP). If your client allows it, you should connect to multiple NTP servers. (...)"
Not sure your know how to implement it, but I hope is not that difficult.
That's basically how NetTime already works.
I've tested version 3.14 and it seems to only connect to the first server in the list and not to the other ones unless the first server doesn't answer?
That is why a wrote that.
By your answer it seemed that the program connects to the first server, and if the local machine time is closed enough it will say things seem fine, but if not he may test another server until someone agrees with the local time?
Yes, that's correct.
Ok, it seems I got the picture of how it currently works correctly.
Well, I think I given my suggestion to these new feature in a way that your understand what I mean.
Even if you decide to implement the way it currently is, it will still be better than just supporting NTP, and if it can be the way I suggest it would be perfect for me and likely to most people wanting the most accurate time possible over Internet but with the advantage of knowing that there is little chance some attacker influence it.