Commit a896fa85 authored by amnesia's avatar amnesia
Browse files

TODO update wrt. the HTP work.

parent 658a690f
......@@ -61,6 +61,11 @@ be used to extract a pretty good time.
So well, that's not as accurate as NTP, but maybe it could be a better
fit for our system than NTP…
We installed a hacked version of the Perl HTP client into
`/usr/local/sbin/htpdate`. Our development repository is at:
git://gaffer.ptitcanardnoir.org/htp.git
## Fingerprinting?
It would need to go in the clear with an exception in the firewall
......@@ -78,28 +83,24 @@ of the queried webservers' admins share their logs. Choosing a bunch
share user data should be enough of a protection against
this threat.
### fingerprinting via unusual http behaviour of the HTP client
The HTP Perl client sets the http user-agent as `htpdate/$version`.
> We then need to hack it to use the same user-agent as
> iceweasel/torbutton.
>> The [[attached Perl
>> program|authenticate_time_servers/getTorbuttonUserAgent.pl]]
>> provides a way to get this information, and the
>> [[attached, hacked htpdate|authenticate_time_servers/htpdate]]
>> adds a `-a` option that allows setting a custom user agent.
Anyone who monitors a given Internet connection that is used to run
T(A)ILS would probably infer T(A)ILS usage from this connection
pattern.
Furthermore, its "connection pattern" is pretty suspicious:
a web-browser loading foo.com/index.html would complete the whole
exchange and download index.html + any referenced resources whereas
htpdate/htpd drops the connection once it's got the first http header.
### fingerprinting via unusual http behaviour of the HTP client
> We then need to hack it to to complete the http exchange
Our hacked HTP client allows its user to choose the user agent it
exposes. We use the same user-agent as iceweasel/torbutton,
thanks to `/usr/local/bin/getTorbuttonUserAgent`.
>> The [[attached, hacked htpdate|authenticate_time_servers/htpdate]]
>> does this when run with the `-f` option.
It was remarked that upstream HTP client's "connection pattern" is
pretty suspicious: a web-browser loading foo.com/index.html would
complete the whole exchange and download index.html + any referenced
resources whereas htpdate/htpd drops the connection once it's got the
first http header. That's why our hacked HTP client has a "full
request" mode, that we use; when run this way, the http exchange is
completed, and any needed resources that are normally needed to
display a page are loaded as well.
## Sources?
......@@ -126,29 +127,17 @@ Is the HTP client behaving as it should (e.g. exit with a loud
warning without setting the time) when there is a problem with the
certificate when using HTTPS?
> As the htpdate Perl client − that only queries one server − makes
> use of the `LWP::UserAgent` Perl module, it can be configured with
> environment variables to achieve certificate verification. See the
> [`Crypt::SSLeay` documentation on (annotated)
> CPAN](http://annocpan.org/~DLAND/Crypt-SSLeay-0.57/SSLeay.pm)
> for details. The
> [Net::SSLGlue CPAN module](http://search.cpan.org/dist/Net-SSLGlue/)
> might be additionally needed; it is packaged in Debian.
>
> However, I've not looked at the other available implementations (a
> Perl daemon, C client and a C daemon). Choosing one that supports
> querying several servers and calculating some kind of mean result
> would probably be a more sensible decision.
Our hacked `/usr/local/sbin/htpdate` uses wget's own certificate
verification. It has no error message dedicated to the case when a
certificate cannot be verified, but at least it ignores the "faulty"
server in such a situation.
>> The [[attached, hacked htpdate|authenticate_time_servers/htpdate]]
>> uses wget's own certificate verification. It has no error message
>> dedicated to this situation, but at least does not set the time if
>> certificates cannot be verified.
> When a given certificate cannot be verified, the servers pool
> consistency should be considered to be not secure enough, and the
> HTP client should exit => [[!taglink todo/code]].
## Left to do
[[!tag todo/code]]
The main thing left to do is to integrate our hacked htpdate script
into the boot process
......@@ -165,7 +154,8 @@ boot time, we could do the very same manual hostname resolution we
already do, write the results to `/etc/hosts`, run htpdate, and
eventually remove(?) these entries from `/etc/hosts`.
[[!tag todo/documentation]]
Once this is implemented, the [[design
documentation|contribute/design/NTP]] should be updated.
> This has been implemented, here's what is left:
>
> * the [[design documentation|contribute/design/NTP]] should be
> updated [[!taglink todo/documentation]]
> * [[!taglink todo/test]]!
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment