| ... | ... | @@ -48,10 +48,11 @@ have a network fingerprint unique to Tails. Some people may think NTP, |
|
|
|
which is widely used, but NTP is unauthenticated, so a MitM attack
|
|
|
|
would let an attacker set the system time, which later may be used to
|
|
|
|
fingerprint the Tails user for applications/protocols that leak the
|
|
|
|
system time. And while authenticated NTP exists (tails/tails#6113), it's barely in use, so it'd become a great way to identify
|
|
|
|
Tails users.
|
|
|
|
system time. Authenticated NTP (tails/tails#6113) is not broadly uses, so it'd become
|
|
|
|
a great way to identify Tails users. There are possible mitigation measures
|
|
|
|
to allow ourselves to use NTP anyway, which at least one of proposed plans uses.
|
|
|
|
|
|
|
|
In fact, we'd prefer if the sought after "mechanism" is part of Tor's
|
|
|
|
Ideally, we'd prefer if the sought after "mechanism" is part of Tor's
|
|
|
|
normal bootstrap process, with no extra packets sent, so the network
|
|
|
|
fingerprint becomes indistinguishable from a "normal" Tor bootstrap.
|
|
|
|
That would be a very handy fact when reasoning about how Tails users
|
| ... | ... | @@ -81,6 +82,29 @@ Some other requirements about this mechanism: |
|
|
|
Possible solutions
|
|
|
|
==================
|
|
|
|
|
|
|
|
Current plan
|
|
|
|
------------
|
|
|
|
|
|
|
|
Meta:
|
|
|
|
|
|
|
|
- Some aspects of this plan are still unclear, so it's difficult to tell how
|
|
|
|
much of the problem described above it will solve.
|
|
|
|
|
|
|
|
- This plan reuses parts of the "Ask the user what time it is" option that's
|
|
|
|
described below in more details. At this point it's not clear which problems
|
|
|
|
considered in the "Ask the user what time it is" option are also
|
|
|
|
handled here.
|
|
|
|
|
|
|
|
UX design: https://gitlab.tails.boum.org/tails/blueprints/-/wikis/network_connection#ux-design
|
|
|
|
|
|
|
|
tl;dr:
|
|
|
|
|
|
|
|
- If the user chooses autoconfig, then do unsafe NTP so Tor can bootstrap.
|
|
|
|
We'll decide on tails/tails#18230 if and how we can do that.
|
|
|
|
Then, once Tor has bootstrapped, do a safer time sync.
|
|
|
|
|
|
|
|
- Else, when the user chooses to hide Tor, ask them fix the time zone and clock manually.
|
|
|
|
|
|
|
|
Ask the user what time it is
|
|
|
|
----------------------------
|
|
|
|
|
| ... | ... | |
