sdwdate Tor Consensus Time Sanity Check
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Patrick
	Feb 9 2015, 4:05 PM

Description

problem description:

When the host's system clock is too much off, Tor won't be able to connect and since sdwdate runs through Tor, it won't be able to fix the clock. At the moment in such situations there is no good feedback to the user.

proposal

A sdwdate sanity test could be created.
Before attempting to fetch the time from Tor hidden services, it could check what Tor is telling us about the clock.
Check if times from remote servers match Tor are within consensus/valid-after and consensus/valid-until, otherwise reject those.

caution

As per chat log with Roger directory authorities can lie about time - so we need to use this with care.
Tor consensus isn't always downloaded from directly from directory authorities, sometimes Tor downloads the Tor consensus from directory mirrors. And the latter aren't trusted as much as directory authorities. Those are just like normal relays.
We should have the courtesy to not explicitly download from directory authorities, because... armadev: oh. i think that would be horrible. hundreds of thousands of users doing that could overwhelm the directory authorities.

misc:

anondate
https://www.whonix.org/wiki/Dev/TimeSync#anondate
- anondate is a fork of tordate and already parses Tor consensus file. It's already part of anon-shared-helper-scripts (https://github.com/Whonix/anon-shared-helper-scripts/blob/master/usr/lib/anon-shared-helper-scripts/anondate).
- Why not use tordate by Tails instead of reinventing the wheel with anondate?

Another option, from control-spec.txt:

"consensus/valid-after"
"consensus/fresh-until"
"consensus/valid-until"
 Each of these produces an ISOTime describing part of the lifetime of
 the current (valid, accepted) consensus that Tor has.
 [New in Tor 0.2.6.3-alpha]

Related: https://www.whonix.org/wiki/Dev/TimeSync#Tor_Consensus_Method
Related: T56

Deprecated:

~~We could then inform the user and/or - if it is safe - even roughly fix the clock for the user so sdwdate can fix it. (From verified Tor consensus (vs unverified Tor consensus). Needs research.)~~
~~plugin sdwdate-plugin-anondate~~ (Not required as a plugin, because sdwdate now depends on Tor anyhow.)
~~Migrated from: https://github.com/Whonix/Whonix/issues/244 (contains extensive discussion)~~ (outdated)
~~Tails-dev - tordate: why is it safe to set time from unverified-consensus?~~ (threat model does not include fingerprinting)

credits:

Extensive research and guess work done by @HulaHoop and @Patrick.

scope:

The scope of this ticket is to create a sdwdate sanity test. It would be a user of anondate.

Details

Impact: Normal

Related Objects
Search...

		Status	Assigned	Task
		Open	None	T56 Bridge Sanity Check
		Resolved	Patrick	T151 sdwdate Tor Consensus Time Sanity Check

Event Timeline

Patrick created this task.Feb 9 2015, 4:05 PM

Patrick raised the priority of this task from to Normal.

Patrick updated the task description. (Show Details)

Patrick added projects: sdwdate, usability, security.

Patrick added subscribers: Patrick, HulaHoop.

Herald added a project: Whonix. · View Herald TranscriptFeb 9 2015, 4:05 PM

Patrick mentioned this in T56: Bridge Sanity Check.Feb 9 2015, 4:08 PM

Patrick renamed this task from sdwdate-plugin-anondate to sdwdate Tor Consensus Time Sanity Check (sdwdate-plugin-anondate).Feb 9 2015, 4:13 PM

Patrick updated the task description. (Show Details)Feb 13 2015, 1:06 PM

Patrick renamed this task from sdwdate Tor Consensus Time Sanity Check (sdwdate-plugin-anondate) to sdwdate Tor Consensus Time Sanity Check.Aug 5 2015, 3:46 PM

Patrick updated the task description. (Show Details)

Patrick set Impact to Normal.

Herald added a subscriber: • WhonixQubes. · View Herald TranscriptAug 5 2015, 3:46 PM

Patrick updated the task description. (Show Details)Aug 5 2015, 3:48 PM

Patrick updated the task description. (Show Details)Mar 13 2016, 12:10 AM

Patrick mentioned this in T482: whonixcheck should test for slow / fast clock.Mar 21 2016, 3:22 PM

WIP https://github.com/Whonix/sdwdate/commit/c626798651f263b06190cd7d9f03d3976f99c68a

Done:

Checks if system clock is between consensus/valid-after and consensus/valid-until. Otherwise a warning is logged.
Disregards any remote times not between consensus/valid-after and consensus/valid-until.

Questions:

Do you think the following information from the Tor control connection is safe to have for Whonix-Workstation?

./tor_consensus_valid-after.py 
2017-02-24 22:00:00

./tor_consensus_valid-until.py 
2017-02-25 01:00:00

https://github.com/Whonix/Whonix/commit/db688595fcad0a84875f50186634e761137f4d17

Patrick updated the task description. (Show Details)Feb 25 2017, 4:28 AM

TODO: test what happen if Tor cannot fetch Tor consensus

https://github.com/Whonix/anon-shared-helper-scripts/commit/b6909067c2834fb04d514dc15b6223776ed3372a
https://github.com/Whonix/anon-shared-helper-scripts/commit/1eb7cde03039d6488e782f25171f2d47017add50

sdwdate Tor Consensus Time Sanity CheckClosed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

sdwdate Tor Consensus Time Sanity Check
Closed, ResolvedPublic
Actions

Related Objects
Search...