Tor should warn users when traveling backwards through time
An attacker can do evil things by rewinding a user's clock, without having to own their machine (e.g., NTP attacks).
Tor maintains a monotonic clock to prevent rewinding attacks while Tor is running. Tor also keeps some persistent information about the user's time in the state file, in the LastWritten field.
On launch, if Tor sees that the system time has been rewound to before the LastWritten time, it should warn the user that something strange is happening. However, Tor should not update the monotonic clock or fail to launch, since the user may have changed the time deliberately.
Trac:
Username: hdevalence
Activity
changed milestone to %Tor: 0.2.8.x-final in legacy/trac
added 028-triaged in Legacy / Trac component::core tor/tor in Legacy / Trac easy in Legacy / Trac milestone::Tor: 0.2.8.x-final in Legacy / Trac points::small in Legacy / Trac priority::very low in Legacy / Trac reporter::hdevalence in Legacy / Trac resolution::fixed in Legacy / Trac security in Legacy / Trac severity::normal in Legacy / Trac status::closed in Legacy / Trac type::enhancement in Legacy / Trac labels
See my branch
warn-when-time-goes-backwardson https://github.com/teor2345/tor.gitTrac:
Status: new to needs_review
Milestone: N/A to Tor: 0.2.8.x-finalI'm happy to change the warning message, but it's quite long already, do you have a suggestion for the text we should use?
The current text is:
log_warn(LD_GENERAL, "Your system clock has been set back in time. " "Tor needs an accurate clock to know when the consensus " "expires. Clock time is %s, state file time is %s.", now_str, last_written_str);
i couldnt think of anything to leave out without reducing information.
Your clock goes wrong. Tor needs an accurate clock. Clock time is %s, state file time is %s.is shorter but much less precise. i'd prefer the original one. this is the text i would add if it doesnt get too long:reasons can be an empty bios battery or a malicious ntp serverthere are many other reasons but i think those are the most useful ones. the malicious ntp server could unnecessarily scare people however if its actually happening its very important for the user to know that time is a security relevant topic.Trac:
Username: elypterHow about:
log_warn(LD_GENERAL, "Your system clock has been set back in time. " "Tor needs an accurate clock to know when the consensus " "expires. You might have an empty clock battery or bad NTP " "server. Clock time is %s, state file time is %s.", now_str, last_written_str);(I simplified the language a little.)
Added a fixup commit to
warn-when-time-goes-backwardson https://github.com/teor2345/tor.gitNow that I've read connection_dir_client_reached_eof(), where we also warn about inaccurate clocks, I think it would be nice to make both messages consistent.
We could also refactor the message generation so that it's in a common function.
Here's the current code from connection_dir_client_reached_eof():
log_fn(trusted ? LOG_WARN : LOG_INFO, LD_HTTP, "Received directory with skewed time (server '%s:%d'): " "It seems that our clock is %s by %s, or that theirs is %s. " "Tor requires an accurate clock to work: please check your time, " "timezone, and date settings.", conn->base_.address, conn->base_.port, delta>0 ? "ahead" : "behind", dbuf, delta>0 ? "behind" : "ahead");Trac:
Keywords: N/A deleted, easy added
Status: closed to reopened
Priority: normal to trivial
Resolution: implemented to N/AClosed in favour of the new ticket legacy/trac#17739 (moved).
Trac:
Status: reopened to closed
Resolution: N/A to fixedmentioned in issue legacy/trac#17208 (moved)
moved from legacy/trac#17188 (moved)
added Feature First Contribution labels and removed 1 deleted label
added Security label and removed 1 deleted label
