undefined | Better HN

0 pointsjrockway9y ago0 comments

NTP doesn't cryptographically verify the time. All you do is have your router redirect these NTP requests to your own server, which is set to serve the wrong time.

Ironically, part of an HTTPS handshake involves sharing the server time in a cryptographically-verifiable manner. I am not sure why they don't use that! https://github.com/ioerror/tlsdate

0 comments

4 comments · 2 top-level

viraptor9y ago· 2 in thread

That only works for current TLS. Version 1.3 makes sending the server date optional.

Dylan168079y ago

Optional, but does anyone turn it off? They control their own servers, anyway.

viraptor9y ago

Optional for the implementations. So basically your ssl library is unlikely to do it. And at that point having a "getTime()" API call in your service is simpler than having a custom patched SSL implementation.

1 more reply

brainfire9y ago

Well, I didn't say it was a good way ;)

j / k navigate · click thread line to collapse