Re: [TLS] Let's remove gmt_unix_time from TLS

Nick Mathewson <nickm@torproject.org> Wed, 11 September 2013 17:18 UTC

Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FFA211E80D3 for <tls@ietfa.amsl.com>; Wed, 11 Sep 2013 10:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.059
X-Spam-Level:
X-Spam-Status: No, score=-1.059 tagged_above=-999 required=5 tests=[AWL=-0.621, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NNYarIVW8jJB for <tls@ietfa.amsl.com>; Wed, 11 Sep 2013 10:18:14 -0700 (PDT)
Received: from mail-qc0-x232.google.com (mail-qc0-x232.google.com [IPv6:2607:f8b0:400d:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 9B51611E81EA for <tls@ietf.org>; Wed, 11 Sep 2013 10:17:34 -0700 (PDT)
Received: by mail-qc0-f178.google.com with SMTP id r5so5403021qcx.23 for <tls@ietf.org>; Wed, 11 Sep 2013 10:17:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=v2PbisQoJia3DGskho6Kgl1k6rzvayUiBP7iH3fyJQw=; b=ECw/0InN4HCbzGPvNuzyn31RLZVRuMZAY1h1LRsGjnsZJIE05k4gjWDigJAdz9lGXB /jXuRUYOOCMl6f4ZQonEfqeQgKfJDVX578jsdMNFw4vvGYBjMDu/ez/PUeyTCnaXLDE2 NJkR09euXdSyhtjT9ZTpQhGkj9uSx4hVCe8pMPjKDWBq8F64ZrwiQq9K3IJtLTxk4D9r C0JSdAI3ySZXV/1j+pdjOWWnSybFgnkoVBxCa+34wrTKEwiCCOP3ysj0EQ+Yzd2xp1ZG q5DeEUelHu4zHEz2nLfuDar+TMMIWfuQGZRgXtPoUP6ELTUwSnu+SsvMSOUlkW35D0tD Ynww==
MIME-Version: 1.0
X-Received: by 10.229.127.74 with SMTP id f10mr5238195qcs.16.1378919854287; Wed, 11 Sep 2013 10:17:34 -0700 (PDT)
Sender: nick.a.mathewson@gmail.com
Received: by 10.140.22.81 with HTTP; Wed, 11 Sep 2013 10:17:34 -0700 (PDT)
In-Reply-To: <20130911185329.3dcd75db@hboeck.de>
References: <CAKDKvuw240Ug4xB3zi2w0y7pUvCwSe0nNFZ2XP2vL-tbtKT0tg@mail.gmail.com> <20130911185329.3dcd75db@hboeck.de>
Date: Wed, 11 Sep 2013 13:17:34 -0400
X-Google-Sender-Auth: Vf5XxFFFEukN4IA3X-dJBeyQs68
Message-ID: <CAKDKvuzhY0UvDttJKRRRTgESONVD=X9SoZXkKBWWE5bWXCBeBw@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: =?ISO-8859-1?Q?Hanno_B=F6ck?= <hanno@hboeck.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Let's remove gmt_unix_time from TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 17:18:16 -0000

On Wed, Sep 11, 2013 at 12:53 PM, Hanno Böck <hanno@hboeck.de>; wrote:
> On Wed, 11 Sep 2013 11:43:53 -0400
> Nick Mathewson <nickm@torproject.org>; wrote:
>
>> Despite the late date, much of the world is still not
>> synchronized to the second via an ntp-like service. This means
>> that different clients have different views of the current time,
>> which provides a fingerprint that helps to track and distinguish
>> them.  This fingerprint is useful for tracking clients as they
>> move around.  It can also distinguish clients using a single VPN,
>> NAT, or privacy network.  (Tor's modified firefox avoids this by
>> not sending the time.)
>
> I can't help getting the feeling that you're trying to fix the wrong
> thing here. People use computers with a wrong clock. That's the problem
> here. You should try to fix that and not workaround it.

I respect your argument, and I used to think the same way myself.
Unfortunately, this doesn't seem to work so well in practice.

Consider that NTP has been around since before the web, and yet
typical consumer computers in the wild still have seconds to minutes
of clock skew.  Consider also that authenticated NTP is even less well
deployed than regular NTP, and that the possibility of
adversary-introduced clock skew reintroduces the fingerprinting
problem.

Also, consider that although fingerprinting issue is worst with large
skew, even less than a second of skew can be used to partition users:
If Alice's clock is only .1 second behind Bob's, a passive observer
can still conclude of 10% of Alice's TLS connections that they could
not have been sent by Bob, and of 10% of Bob's TLS connections that
they could not have been sent by Alice.  Over time, little
observations like this can add up to a lot of information for a clever
attacker.


Also, one could as easily argue that a broken PRNG is a problem that
needs to be fixed and not worked-around, and so gmt_unix_time should
not be supported. ;)

> My suggestion: Tor could detect on startup if the time is correct via
> ntp (or even through the tor network itself with the next server). If
> its not, it refuses to start unless an option like
> "iknowmytimeisbrokenandidontcare" is set. For the gui, issue a warning
> and an easy option to fix the time.

This idea has some merit, although we would need to find a workaround
for the fact that the initial TLS connection to the Tor network would
leak what time the client had thought it was until their anonymous NTP
requests had told them the real time.

In the short term, however, removing gmt_unix_time seems like a much
simpler fix: it can be done with a one-line patch to OpenSSL and/or
NSS, to improve the privacy of a great number of users, even those who
do not yet have an authenticated anonymized byzantine-fault-tolerant
NTP client.


yrs,
-- 
Nick