Mixing
How important is local time for security?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
28
down vote
favorite
I recently wanted to see what happens when I change my local time to something obviously wrong. I tried the year 2218, so 200 years in the future. The result: I couldn't access any website anymore (I didn't try too many, though). I got this error:
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid. But usually there is an "advanced" option that allows me to ignore it. Not so here. Also, I wonder why it says "your clock is ahead" - if chrome knows the correct time, why doesn't it take this for comparing?
Coming to my question: How important is local time for security? If an attacker can arbitrarily change the system time, which kinds of attacks allows this? Are there reported cases where time manipulation was a crucial part?
time ntp
asked yesterday
Martin Thoma
1,40922230
 |Â
show 4 more comments
up vote
28
down vote
favorite
I recently wanted to see what happens when I change my local time to something obviously wrong. I tried the year 2218, so 200 years in the future. The result: I couldn't access any website anymore (I didn't try too many, though). I got this error:
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid. But usually there is an "advanced" option that allows me to ignore it. Not so here. Also, I wonder why it says "your clock is ahead" - if chrome knows the correct time, why doesn't it take this for comparing?
Coming to my question: How important is local time for security? If an attacker can arbitrarily change the system time, which kinds of attacks allows this? Are there reported cases where time manipulation was a crucial part?
time ntp
asked yesterday
Martin Thoma
1,40922230
25
"if chrome knows the correct time, why doesn't it take this for comparing?" - I don't know how it's checking that, but 200 years in the future is rather obviously incorrect. It's possible to know that something is incorrect without knowing what the correct data actually is.
– AndrolGenhald
yesterday
1
Probably chrome does not know the correct time, but knows that the certificate validity is way out of range.
– allo
22 hours ago
2
@Acccumulation As I said, I've not bothered to check how it's implemented. Could be if it sees a certificate that expired more than 10 years ago it just assumes your clock is wrong.
– AndrolGenhald
18 hours ago
1
@Acccumulation It could be based on the current version's release date as well.
– IllusiveBrian
16 hours ago
2
@AndrolGenhald I would guess that Chrome itself has a time lookup with its own time servers built in. I'm sure it uses the local time, but I wouldn't be at all surprised if a network time lookup happens in Chrome to know the "real" time regardless of what the local time says.
– Conor Mancone
15 hours ago
 |Â
show 4 more comments
up vote
28
down vote
favorite
up vote
28
down vote
favorite
I recently wanted to see what happens when I change my local time to something obviously wrong. I tried the year 2218, so 200 years in the future. The result: I couldn't access any website anymore (I didn't try too many, though). I got this error:
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid. But usually there is an "advanced" option that allows me to ignore it. Not so here. Also, I wonder why it says "your clock is ahead" - if chrome knows the correct time, why doesn't it take this for comparing?
Coming to my question: How important is local time for security? If an attacker can arbitrarily change the system time, which kinds of attacks allows this? Are there reported cases where time manipulation was a crucial part?
time ntp
asked yesterday
Martin Thoma
1,40922230
I recently wanted to see what happens when I change my local time to something obviously wrong. I tried the year 2218, so 200 years in the future. The result: I couldn't access any website anymore (I didn't try too many, though). I got this error:
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid. But usually there is an "advanced" option that allows me to ignore it. Not so here. Also, I wonder why it says "your clock is ahead" - if chrome knows the correct time, why doesn't it take this for comparing?
Coming to my question: How important is local time for security? If an attacker can arbitrarily change the system time, which kinds of attacks allows this? Are there reported cases where time manipulation was a crucial part?
time ntp
time ntp
asked yesterday
Martin Thoma
1,40922230
asked yesterday
Martin Thoma
1,40922230
asked yesterday
Martin Thoma
1,40922230
asked yesterday
Martin Thoma
1,40922230
asked yesterday
Martin Thoma
1,40922230
1,40922230
25
"if chrome knows the correct time, why doesn't it take this for comparing?" - I don't know how it's checking that, but 200 years in the future is rather obviously incorrect. It's possible to know that something is incorrect without knowing what the correct data actually is.
– AndrolGenhald
yesterday
1
Probably chrome does not know the correct time, but knows that the certificate validity is way out of range.
– allo
22 hours ago
2
@Acccumulation As I said, I've not bothered to check how it's implemented. Could be if it sees a certificate that expired more than 10 years ago it just assumes your clock is wrong.
– AndrolGenhald
18 hours ago
1
@Acccumulation It could be based on the current version's release date as well.
– IllusiveBrian
16 hours ago
2
@AndrolGenhald I would guess that Chrome itself has a time lookup with its own time servers built in. I'm sure it uses the local time, but I wouldn't be at all surprised if a network time lookup happens in Chrome to know the "real" time regardless of what the local time says.
– Conor Mancone
15 hours ago
 |Â
show 4 more comments
25
"if chrome knows the correct time, why doesn't it take this for comparing?" - I don't know how it's checking that, but 200 years in the future is rather obviously incorrect. It's possible to know that something is incorrect without knowing what the correct data actually is.
– AndrolGenhald
yesterday
1
Probably chrome does not know the correct time, but knows that the certificate validity is way out of range.
– allo
22 hours ago
2
@Acccumulation As I said, I've not bothered to check how it's implemented. Could be if it sees a certificate that expired more than 10 years ago it just assumes your clock is wrong.
– AndrolGenhald
18 hours ago
1
@Acccumulation It could be based on the current version's release date as well.
– IllusiveBrian
16 hours ago
2
@AndrolGenhald I would guess that Chrome itself has a time lookup with its own time servers built in. I'm sure it uses the local time, but I wouldn't be at all surprised if a network time lookup happens in Chrome to know the "real" time regardless of what the local time says.
– Conor Mancone
15 hours ago
25
25
"if chrome knows the correct time, why doesn't it take this for comparing?" - I don't know how it's checking that, but 200 years in the future is rather obviously incorrect. It's possible to know that something is incorrect without knowing what the correct data actually is.
– AndrolGenhald
yesterday
"if chrome knows the correct time, why doesn't it take this for comparing?" - I don't know how it's checking that, but 200 years in the future is rather obviously incorrect. It's possible to know that something is incorrect without knowing what the correct data actually is.
– AndrolGenhald
yesterday
1
1
Probably chrome does not know the correct time, but knows that the certificate validity is way out of range.
– allo
22 hours ago
Probably chrome does not know the correct time, but knows that the certificate validity is way out of range.
– allo
22 hours ago
2
2
@Acccumulation As I said, I've not bothered to check how it's implemented. Could be if it sees a certificate that expired more than 10 years ago it just assumes your clock is wrong.
– AndrolGenhald
18 hours ago
@Acccumulation As I said, I've not bothered to check how it's implemented. Could be if it sees a certificate that expired more than 10 years ago it just assumes your clock is wrong.
– AndrolGenhald
18 hours ago
1
1
@Acccumulation It could be based on the current version's release date as well.
– IllusiveBrian
16 hours ago
@Acccumulation It could be based on the current version's release date as well.
– IllusiveBrian
16 hours ago
2
2
@AndrolGenhald I would guess that Chrome itself has a time lookup with its own time servers built in. I'm sure it uses the local time, but I wouldn't be at all surprised if a network time lookup happens in Chrome to know the "real" time regardless of what the local time says.
– Conor Mancone
15 hours ago
@AndrolGenhald I would guess that Chrome itself has a time lookup with its own time servers built in. I'm sure it uses the local time, but I wouldn't be at all surprised if a network time lookup happens in Chrome to know the "real" time regardless of what the local time says.
– Conor Mancone
15 hours ago
 |Â
show 4 more comments
5 Answers
5
active
oldest
votes
up vote
39
down vote
You have a bunch of questions rolled in there.
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid.
Yes.
Here is the cert for help.ubuntu.com:
You'll notice that it has Valid From and Valid Until dates; if you try to access a site protected by this cert outside of these dates, your browser will complain. The reason certs expire is (among other reasons) to force webmasters to keep getting new certs using the latest crypto and other new security features in certificates.
When your browser is trying to decide if it trusts a certificate, it uses the system clock as the definitive source of truth for time. Sure, it'll try to use NTP, but if you (the admin user) have explicitly told it that the NTP servers are wrong, well, you're the boss.
If an attacker can arbitrarily change the system time, which kinds of attacks allows this?
Let's consider personal computers and servers separately. I haven't done any research here, just off the top of my head.
Personal Computers
- Users often play games with their system clock to get around "30-day trial" type things. If you're the company whose software is being used illegally this way, then you would consider it a security issue.
- Spoofed websites. It's much easier to hack old expired certificates -- maybe it used 10 year old crypto that is easily cracked, or maybe the server was compromised 6 years ago but the CAs don't track revocation info for that long (idea credit: @immibis' answer). If an attacker can change your system clock then you won't see the warnings.
Servers
- Logging. When investigating a security breach, if your servers' clocks are out of sync, it can be very difficult to piece together all the logs to figure out exactly what happened and in what order.
- Logins. Things like OTP 2 factor authentication is usually time-based. If one server's clocks are behind a different server, then you could watch someone enter an OTP code, then go use it against the server that's behind because that code won't have expired yet.
answered yesterday
Mike Ounsworth
35.6k1385128
3
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
7
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
1
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
add a comment |Â
up vote
19
down vote
One reason is that certificate revocation records are not kept after the certificate expires.
Suppose I stole Google's certificate 10 years ago. Google immediately noticed and revoked their certificate. Since the certificate expired some time in the last 10 years, the revocation entry was deleted. If I set your clock back 10 years to when it was valid, I can impersonate Google and your browser won't notice, because it won't know it was revoked.
answered yesterday
immibis
1,77021113
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
add a comment |Â
up vote
9
down vote
Your question is broad, but if an attacker can change the local system clock, then they can poison the logs of their activity. That way, they can hide their activity to appear to have occurred sometime in the past (and maybe beyond the window that the admins are looking for activity) or to coincide with other user's activity.
For example, if you break into a system in the middle of the night, you can set the clock to be at noon the previous day, do your activity, then set the clock back. Anyone inspecting the logs will assume the normal user did the activity (or not see it at all among the normal user's activity.
This is why setting your clock to be synced with an authoritative external source is important. That, and that all logs from all sources can be properly correlated.
answered yesterday
schroeder♦
64.5k24138173
1
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
add a comment |Â
up vote
0
down vote
Another (slightly convoluted) example of an attack against a computer with lagging system time is serving outdated DNS records from a zone secured with DNSSEC.
For example, if client asked for www.example.com address, the attacker could reply with a referral to his own DNS server and an (expired) proof of non-existence of a DS record for example.com from the time when example.com was not yet signed, and subsequently serve forged DNS records for anything in example.com zone.
answered 18 hours ago
Edheldil
84659
add a comment |Â
up vote
-3
down vote
It could be considered faking and not having the computer clock synced always could have its advantages and disadvantages. Obvious ones are those already pointed.
One advantage is websites will not know your real date, although this would enter more into privacy than security per se, normally privacy is considered part of security.
I don't know much about NTP enumeration but its used in pentesting so it's a factor to take into account for security.
"The Network Time Protocol is a protocol for synchronizing time across
your network, this is especially important when utilizing Directory
Services. There exists a number of time servers throughout the world
that can be used to keep systems synced to each other. NTP utilizes
UDP port 123. Through NTP enumeration you can gather information such
as lists of hosts connected to NTP server, IP addresses, system names,
and OSs running on the client system in a network. All this
information can be enumerated by querying NTP server." source: "https://www.greycampus.com/opencampus/ethical-hacking/ntp-enumeration"
answered yesterday
Devuan User
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
1
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
6
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
5
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
 |Â
show 7 more comments
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
39
down vote
You have a bunch of questions rolled in there.
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid.
Yes.
Here is the cert for help.ubuntu.com:
You'll notice that it has Valid From and Valid Until dates; if you try to access a site protected by this cert outside of these dates, your browser will complain. The reason certs expire is (among other reasons) to force webmasters to keep getting new certs using the latest crypto and other new security features in certificates.
When your browser is trying to decide if it trusts a certificate, it uses the system clock as the definitive source of truth for time. Sure, it'll try to use NTP, but if you (the admin user) have explicitly told it that the NTP servers are wrong, well, you're the boss.
If an attacker can arbitrarily change the system time, which kinds of attacks allows this?
Let's consider personal computers and servers separately. I haven't done any research here, just off the top of my head.
Personal Computers
- Users often play games with their system clock to get around "30-day trial" type things. If you're the company whose software is being used illegally this way, then you would consider it a security issue.
- Spoofed websites. It's much easier to hack old expired certificates -- maybe it used 10 year old crypto that is easily cracked, or maybe the server was compromised 6 years ago but the CAs don't track revocation info for that long (idea credit: @immibis' answer). If an attacker can change your system clock then you won't see the warnings.
Servers
- Logging. When investigating a security breach, if your servers' clocks are out of sync, it can be very difficult to piece together all the logs to figure out exactly what happened and in what order.
- Logins. Things like OTP 2 factor authentication is usually time-based. If one server's clocks are behind a different server, then you could watch someone enter an OTP code, then go use it against the server that's behind because that code won't have expired yet.
answered yesterday
Mike Ounsworth
35.6k1385128
3
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
7
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
1
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
add a comment |Â
up vote
39
down vote
You have a bunch of questions rolled in there.
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid.
Yes.
Here is the cert for help.ubuntu.com:
You'll notice that it has Valid From and Valid Until dates; if you try to access a site protected by this cert outside of these dates, your browser will complain. The reason certs expire is (among other reasons) to force webmasters to keep getting new certs using the latest crypto and other new security features in certificates.
When your browser is trying to decide if it trusts a certificate, it uses the system clock as the definitive source of truth for time. Sure, it'll try to use NTP, but if you (the admin user) have explicitly told it that the NTP servers are wrong, well, you're the boss.
If an attacker can arbitrarily change the system time, which kinds of attacks allows this?
Let's consider personal computers and servers separately. I haven't done any research here, just off the top of my head.
Personal Computers
- Users often play games with their system clock to get around "30-day trial" type things. If you're the company whose software is being used illegally this way, then you would consider it a security issue.
- Spoofed websites. It's much easier to hack old expired certificates -- maybe it used 10 year old crypto that is easily cracked, or maybe the server was compromised 6 years ago but the CAs don't track revocation info for that long (idea credit: @immibis' answer). If an attacker can change your system clock then you won't see the warnings.
Servers
- Logging. When investigating a security breach, if your servers' clocks are out of sync, it can be very difficult to piece together all the logs to figure out exactly what happened and in what order.
- Logins. Things like OTP 2 factor authentication is usually time-based. If one server's clocks are behind a different server, then you could watch someone enter an OTP code, then go use it against the server that's behind because that code won't have expired yet.
answered yesterday
Mike Ounsworth
35.6k1385128
3
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
7
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
1
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
add a comment |Â
up vote
39
down vote
up vote
39
down vote
You have a bunch of questions rolled in there.
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid.
Yes.
Here is the cert for help.ubuntu.com:
You'll notice that it has Valid From and Valid Until dates; if you try to access a site protected by this cert outside of these dates, your browser will complain. The reason certs expire is (among other reasons) to force webmasters to keep getting new certs using the latest crypto and other new security features in certificates.
When your browser is trying to decide if it trusts a certificate, it uses the system clock as the definitive source of truth for time. Sure, it'll try to use NTP, but if you (the admin user) have explicitly told it that the NTP servers are wrong, well, you're the boss.
If an attacker can arbitrarily change the system time, which kinds of attacks allows this?
Let's consider personal computers and servers separately. I haven't done any research here, just off the top of my head.
Personal Computers
- Users often play games with their system clock to get around "30-day trial" type things. If you're the company whose software is being used illegally this way, then you would consider it a security issue.
- Spoofed websites. It's much easier to hack old expired certificates -- maybe it used 10 year old crypto that is easily cracked, or maybe the server was compromised 6 years ago but the CAs don't track revocation info for that long (idea credit: @immibis' answer). If an attacker can change your system clock then you won't see the warnings.
Servers
- Logging. When investigating a security breach, if your servers' clocks are out of sync, it can be very difficult to piece together all the logs to figure out exactly what happened and in what order.
- Logins. Things like OTP 2 factor authentication is usually time-based. If one server's clocks are behind a different server, then you could watch someone enter an OTP code, then go use it against the server that's behind because that code won't have expired yet.
answered yesterday
Mike Ounsworth
35.6k1385128
You have a bunch of questions rolled in there.
I guess NET::ERR_CERT_DATE_INVALID means that an HTTPs certificate is not valid.
Yes.
Here is the cert for help.ubuntu.com:
You'll notice that it has Valid From and Valid Until dates; if you try to access a site protected by this cert outside of these dates, your browser will complain. The reason certs expire is (among other reasons) to force webmasters to keep getting new certs using the latest crypto and other new security features in certificates.
When your browser is trying to decide if it trusts a certificate, it uses the system clock as the definitive source of truth for time. Sure, it'll try to use NTP, but if you (the admin user) have explicitly told it that the NTP servers are wrong, well, you're the boss.
If an attacker can arbitrarily change the system time, which kinds of attacks allows this?
Let's consider personal computers and servers separately. I haven't done any research here, just off the top of my head.
Personal Computers
- Users often play games with their system clock to get around "30-day trial" type things. If you're the company whose software is being used illegally this way, then you would consider it a security issue.
- Spoofed websites. It's much easier to hack old expired certificates -- maybe it used 10 year old crypto that is easily cracked, or maybe the server was compromised 6 years ago but the CAs don't track revocation info for that long (idea credit: @immibis' answer). If an attacker can change your system clock then you won't see the warnings.
Servers
- Logging. When investigating a security breach, if your servers' clocks are out of sync, it can be very difficult to piece together all the logs to figure out exactly what happened and in what order.
- Logins. Things like OTP 2 factor authentication is usually time-based. If one server's clocks are behind a different server, then you could watch someone enter an OTP code, then go use it against the server that's behind because that code won't have expired yet.
answered yesterday
Mike Ounsworth
35.6k1385128
edited yesterday
answered yesterday
Mike Ounsworth
35.6k1385128
answered yesterday
Mike Ounsworth
35.6k1385128
answered yesterday
Mike Ounsworth
35.6k1385128
35.6k1385128
3
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
7
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
1
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
add a comment |Â
3
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
7
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
1
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
3
3
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
Also, obviously, denial of service. If the server uses some third-party web services by HTTPS, the requests will start to fail just like the browser did above.
– IMil
yesterday
7
7
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
w.r.t. logins, not just OTP 2 factor auth is affected. Kerberos requires computers to be reasonably in sync ("to prevent replay attacks"). Windows domains, using Kerberos, for example, require computers to be within 5 minutes of each other (by default) or you can't get authorized on the domain.
– davidbak
yesterday
1
1
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
Another issue, brought up at this year's DEF CON, is the fact that someone may register a website that was previously registered and may even still have a valid certificate that the previous owner has access to. The expiry date ensures that this will not go on indefinitely.
– forest
13 hours ago
add a comment |Â
up vote
19
down vote
One reason is that certificate revocation records are not kept after the certificate expires.
Suppose I stole Google's certificate 10 years ago. Google immediately noticed and revoked their certificate. Since the certificate expired some time in the last 10 years, the revocation entry was deleted. If I set your clock back 10 years to when it was valid, I can impersonate Google and your browser won't notice, because it won't know it was revoked.
answered yesterday
immibis
1,77021113
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
add a comment |Â
up vote
19
down vote
One reason is that certificate revocation records are not kept after the certificate expires.
Suppose I stole Google's certificate 10 years ago. Google immediately noticed and revoked their certificate. Since the certificate expired some time in the last 10 years, the revocation entry was deleted. If I set your clock back 10 years to when it was valid, I can impersonate Google and your browser won't notice, because it won't know it was revoked.
answered yesterday
immibis
1,77021113
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
add a comment |Â
up vote
19
down vote
up vote
19
down vote
One reason is that certificate revocation records are not kept after the certificate expires.
Suppose I stole Google's certificate 10 years ago. Google immediately noticed and revoked their certificate. Since the certificate expired some time in the last 10 years, the revocation entry was deleted. If I set your clock back 10 years to when it was valid, I can impersonate Google and your browser won't notice, because it won't know it was revoked.
answered yesterday
immibis
1,77021113
One reason is that certificate revocation records are not kept after the certificate expires.
Suppose I stole Google's certificate 10 years ago. Google immediately noticed and revoked their certificate. Since the certificate expired some time in the last 10 years, the revocation entry was deleted. If I set your clock back 10 years to when it was valid, I can impersonate Google and your browser won't notice, because it won't know it was revoked.
answered yesterday
immibis
1,77021113
answered yesterday
immibis
1,77021113
answered yesterday
immibis
1,77021113
answered yesterday
immibis
1,77021113
1,77021113
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
add a comment |Â
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
It seems to me you describe the reverse of the question. OP shows when you change the local time, the browser accepts the change and act accordingly. If anything, this behaviour makes the attack you describe possible, it does not seem to prevent it.
– Suma
1 hour ago
add a comment |Â
up vote
9
down vote
Your question is broad, but if an attacker can change the local system clock, then they can poison the logs of their activity. That way, they can hide their activity to appear to have occurred sometime in the past (and maybe beyond the window that the admins are looking for activity) or to coincide with other user's activity.
For example, if you break into a system in the middle of the night, you can set the clock to be at noon the previous day, do your activity, then set the clock back. Anyone inspecting the logs will assume the normal user did the activity (or not see it at all among the normal user's activity.
This is why setting your clock to be synced with an authoritative external source is important. That, and that all logs from all sources can be properly correlated.
answered yesterday
schroeder♦
64.5k24138173
1
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
add a comment |Â
up vote
9
down vote
Your question is broad, but if an attacker can change the local system clock, then they can poison the logs of their activity. That way, they can hide their activity to appear to have occurred sometime in the past (and maybe beyond the window that the admins are looking for activity) or to coincide with other user's activity.
For example, if you break into a system in the middle of the night, you can set the clock to be at noon the previous day, do your activity, then set the clock back. Anyone inspecting the logs will assume the normal user did the activity (or not see it at all among the normal user's activity.
This is why setting your clock to be synced with an authoritative external source is important. That, and that all logs from all sources can be properly correlated.
answered yesterday
schroeder♦
64.5k24138173
1
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
add a comment |Â
up vote
9
down vote
up vote
9
down vote
Your question is broad, but if an attacker can change the local system clock, then they can poison the logs of their activity. That way, they can hide their activity to appear to have occurred sometime in the past (and maybe beyond the window that the admins are looking for activity) or to coincide with other user's activity.
For example, if you break into a system in the middle of the night, you can set the clock to be at noon the previous day, do your activity, then set the clock back. Anyone inspecting the logs will assume the normal user did the activity (or not see it at all among the normal user's activity.
This is why setting your clock to be synced with an authoritative external source is important. That, and that all logs from all sources can be properly correlated.
answered yesterday
schroeder♦
64.5k24138173
Your question is broad, but if an attacker can change the local system clock, then they can poison the logs of their activity. That way, they can hide their activity to appear to have occurred sometime in the past (and maybe beyond the window that the admins are looking for activity) or to coincide with other user's activity.
For example, if you break into a system in the middle of the night, you can set the clock to be at noon the previous day, do your activity, then set the clock back. Anyone inspecting the logs will assume the normal user did the activity (or not see it at all among the normal user's activity.
This is why setting your clock to be synced with an authoritative external source is important. That, and that all logs from all sources can be properly correlated.
answered yesterday
schroeder♦
64.5k24138173
answered yesterday
schroeder♦
64.5k24138173
answered yesterday
schroeder♦
64.5k24138173
answered yesterday
schroeder♦
64.5k24138173
64.5k24138173
1
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
add a comment |Â
1
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
1
1
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
This doesn't address why an out of sync clock is an issue in this particular case.
– Austin Hemmelgarn
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
It's a broad question and I tackled part of it.
– schroeder♦
yesterday
add a comment |Â
up vote
0
down vote
Another (slightly convoluted) example of an attack against a computer with lagging system time is serving outdated DNS records from a zone secured with DNSSEC.
For example, if client asked for www.example.com address, the attacker could reply with a referral to his own DNS server and an (expired) proof of non-existence of a DS record for example.com from the time when example.com was not yet signed, and subsequently serve forged DNS records for anything in example.com zone.
answered 18 hours ago
Edheldil
84659
add a comment |Â
up vote
0
down vote
Another (slightly convoluted) example of an attack against a computer with lagging system time is serving outdated DNS records from a zone secured with DNSSEC.
For example, if client asked for www.example.com address, the attacker could reply with a referral to his own DNS server and an (expired) proof of non-existence of a DS record for example.com from the time when example.com was not yet signed, and subsequently serve forged DNS records for anything in example.com zone.
answered 18 hours ago
Edheldil
84659
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Another (slightly convoluted) example of an attack against a computer with lagging system time is serving outdated DNS records from a zone secured with DNSSEC.
For example, if client asked for www.example.com address, the attacker could reply with a referral to his own DNS server and an (expired) proof of non-existence of a DS record for example.com from the time when example.com was not yet signed, and subsequently serve forged DNS records for anything in example.com zone.
answered 18 hours ago
Edheldil
84659
Another (slightly convoluted) example of an attack against a computer with lagging system time is serving outdated DNS records from a zone secured with DNSSEC.
For example, if client asked for www.example.com address, the attacker could reply with a referral to his own DNS server and an (expired) proof of non-existence of a DS record for example.com from the time when example.com was not yet signed, and subsequently serve forged DNS records for anything in example.com zone.
answered 18 hours ago
Edheldil
84659
answered 18 hours ago
Edheldil
84659
answered 18 hours ago
Edheldil
84659
answered 18 hours ago
Edheldil
84659
84659
add a comment |Â
add a comment |Â
up vote
-3
down vote
It could be considered faking and not having the computer clock synced always could have its advantages and disadvantages. Obvious ones are those already pointed.
One advantage is websites will not know your real date, although this would enter more into privacy than security per se, normally privacy is considered part of security.
I don't know much about NTP enumeration but its used in pentesting so it's a factor to take into account for security.
"The Network Time Protocol is a protocol for synchronizing time across
your network, this is especially important when utilizing Directory
Services. There exists a number of time servers throughout the world
that can be used to keep systems synced to each other. NTP utilizes
UDP port 123. Through NTP enumeration you can gather information such
as lists of hosts connected to NTP server, IP addresses, system names,
and OSs running on the client system in a network. All this
information can be enumerated by querying NTP server." source: "https://www.greycampus.com/opencampus/ethical-hacking/ntp-enumeration"
answered yesterday
Devuan User
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
1
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
6
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
5
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
 |Â
show 7 more comments
up vote
-3
down vote
It could be considered faking and not having the computer clock synced always could have its advantages and disadvantages. Obvious ones are those already pointed.
One advantage is websites will not know your real date, although this would enter more into privacy than security per se, normally privacy is considered part of security.
I don't know much about NTP enumeration but its used in pentesting so it's a factor to take into account for security.
"The Network Time Protocol is a protocol for synchronizing time across
your network, this is especially important when utilizing Directory
Services. There exists a number of time servers throughout the world
that can be used to keep systems synced to each other. NTP utilizes
UDP port 123. Through NTP enumeration you can gather information such
as lists of hosts connected to NTP server, IP addresses, system names,
and OSs running on the client system in a network. All this
information can be enumerated by querying NTP server." source: "https://www.greycampus.com/opencampus/ethical-hacking/ntp-enumeration"
answered yesterday
Devuan User
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
1
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
6
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
5
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
 |Â
show 7 more comments
up vote
-3
down vote
up vote
-3
down vote
It could be considered faking and not having the computer clock synced always could have its advantages and disadvantages. Obvious ones are those already pointed.
One advantage is websites will not know your real date, although this would enter more into privacy than security per se, normally privacy is considered part of security.
I don't know much about NTP enumeration but its used in pentesting so it's a factor to take into account for security.
"The Network Time Protocol is a protocol for synchronizing time across
your network, this is especially important when utilizing Directory
Services. There exists a number of time servers throughout the world
that can be used to keep systems synced to each other. NTP utilizes
UDP port 123. Through NTP enumeration you can gather information such
as lists of hosts connected to NTP server, IP addresses, system names,
and OSs running on the client system in a network. All this
information can be enumerated by querying NTP server." source: "https://www.greycampus.com/opencampus/ethical-hacking/ntp-enumeration"
answered yesterday
Devuan User
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
It could be considered faking and not having the computer clock synced always could have its advantages and disadvantages. Obvious ones are those already pointed.
One advantage is websites will not know your real date, although this would enter more into privacy than security per se, normally privacy is considered part of security.
I don't know much about NTP enumeration but its used in pentesting so it's a factor to take into account for security.
"The Network Time Protocol is a protocol for synchronizing time across
your network, this is especially important when utilizing Directory
Services. There exists a number of time servers throughout the world
that can be used to keep systems synced to each other. NTP utilizes
UDP port 123. Through NTP enumeration you can gather information such
as lists of hosts connected to NTP server, IP addresses, system names,
and OSs running on the client system in a network. All this
information can be enumerated by querying NTP server." source: "https://www.greycampus.com/opencampus/ethical-hacking/ntp-enumeration"
answered yesterday
Devuan User
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
answered yesterday
Devuan User
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
Devuan User
52
answered yesterday
Devuan User
52
52
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Devuan User is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
3
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
1
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
6
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
5
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
 |Â
show 7 more comments
3
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
1
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
6
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
5
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
3
3
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
This answer lacks concrete details to be useful to me. What is a scenario where it does harm that websites don't know the local time on my machine? How is that a privacy issue?
– Martin Thoma
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
If you are using a vpn or proxy and your system is using a different time zone than what your ip should have... then any person would consider you are using a vpn or proxy. Most proxies and vpns are not able to hide the time clock of your operative system by default and websites can read that (therefore pointing to the place you live even if using a proxy/vpn, therefore breaking down your privacy)
– Devuan User
yesterday
1
1
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
NTP syncing is not "local time" - the 2 topics are about "time" but are otherwise unrelated.
– schroeder♦
yesterday
6
6
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
"One advantage is websites will not know your real date" — your real date is the same as everyone else's. We're in the same universe, and we have just the one agreed-upon time stream that we hold in common. Like space. (Exercise: I'm going to conceal how many dimensions I'm in right now, for security purposes. What? You guessed three? Darn it! How did you know?)
– Wildcard
yesterday
5
5
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
NTP protocol only exchange timestamp in UTC, no matter the settings of the client & server. So the most an NTP server might get is the machine from a certain IP is off-sync by certain period. Ironically, if it's consistently out-of-sync by a fixed period, the data can be used to track the machine even after IP address change. Compared to regularly synced machine that will have similar offset period with other machines in the region.
– Martheen
yesterday
 |Â
show 7 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193508%2fhow-important-is-local-time-for-security%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
25
"if chrome knows the correct time, why doesn't it take this for comparing?" - I don't know how it's checking that, but 200 years in the future is rather obviously incorrect. It's possible to know that something is incorrect without knowing what the correct data actually is.
– AndrolGenhald
yesterday
1
Probably chrome does not know the correct time, but knows that the certificate validity is way out of range.
– allo
22 hours ago
2
@Acccumulation As I said, I've not bothered to check how it's implemented. Could be if it sees a certificate that expired more than 10 years ago it just assumes your clock is wrong.
– AndrolGenhald
18 hours ago
1
@Acccumulation It could be based on the current version's release date as well.
– IllusiveBrian
16 hours ago
2
@AndrolGenhald I would guess that Chrome itself has a time lookup with its own time servers built in. I'm sure it uses the local time, but I wouldn't be at all surprised if a network time lookup happens in Chrome to know the "real" time regardless of what the local time says.
– Conor Mancone
15 hours ago