Opened 4 years ago

Closed 4 years ago

#17188 closed enhancement (fixed)

Tor should warn users when traveling backwards through time

Reported by: hdevalence Owned by:
Priority: Very Low Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: security, 028-triaged, easy
Cc: Actual Points:
Parent ID: Points: small
Reviewer: Sponsor:

Description

An attacker can do evil things by rewinding a user's clock, without having to own their machine (e.g., NTP attacks).

Tor maintains a monotonic clock to prevent rewinding attacks while Tor is running. Tor also keeps some persistent information about the user's time in the state file, in the LastWritten field.

On launch, if Tor sees that the system time has been rewound to before the LastWritten time, it should warn the user that something strange is happening. However, Tor should not update the monotonic clock or fail to launch, since the user may have changed the time deliberately.

Child Tickets

Change History (14)

comment:1 Changed 4 years ago by teor

Milestone: Tor: 0.2.8.x-final
Status: newneeds_review

See my branch warn-when-time-goes-backwards on https://github.com/teor2345/tor.git

comment:2 Changed 4 years ago by elypter

its a good idea if the user is informed that this may be caused by an empty bios battery

comment:3 Changed 4 years ago by nickm

Keywords: 028-triaged added

comment:4 Changed 4 years ago by teor

I'm happy to change the warning message, but it's quite long already, do you have a suggestion for the text we should use?

The current text is:

      log_warn(LD_GENERAL, "Your system clock has been set back in time. "
               "Tor needs an accurate clock to know when the consensus "
               "expires. Clock time is %s, state file time is %s.",
               now_str, last_written_str);

comment:5 Changed 4 years ago by elypter

i couldnt think of anything to leave out without reducing information.
Your clock goes wrong. Tor needs an accurate clock. Clock time is %s, state file time is %s. is shorter but much less precise. i'd prefer the original one.
this is the text i would add if it doesnt get too long: reasons can be an empty bios battery or a malicious ntp server
there are many other reasons but i think those are the most useful ones. the malicious ntp server could unnecessarily scare people however if its actually happening its very important for the user to know that time is a security relevant topic.

comment:6 Changed 4 years ago by teor

How about:

      log_warn(LD_GENERAL, "Your system clock has been set back in time. "
               "Tor needs an accurate clock to know when the consensus "
               "expires. You might have an empty clock battery or bad NTP "
               "server. Clock time is %s, state file time is %s.",
               now_str, last_written_str);

(I simplified the language a little.)

comment:7 Changed 4 years ago by elypter

yeah that sounds good

comment:8 Changed 4 years ago by teor

Added a fixup commit to warn-when-time-goes-backwards on ​https://github.com/teor2345/tor.git

comment:9 Changed 4 years ago by nickm

Points: small

comment:10 Changed 4 years ago by nickm

(tvdw and weasel say this is a good idea.)

comment:11 Changed 4 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merged it!

comment:12 Changed 4 years ago by teor

Keywords: easy added
Priority: normaltrivial
Resolution: implemented
Status: closedreopened

Now that I've read connection_dir_client_reached_eof(), where we also warn about inaccurate clocks, I think it would be nice to make both messages consistent.

We could also refactor the message generation so that it's in a common function.

Here's the current code from connection_dir_client_reached_eof():

      log_fn(trusted ? LOG_WARN : LOG_INFO,
             LD_HTTP,
             "Received directory with skewed time (server '%s:%d'): "
             "It seems that our clock is %s by %s, or that theirs is %s. "
             "Tor requires an accurate clock to work: please check your time, "
             "timezone, and date settings.",
             conn->base_.address, conn->base_.port,
             delta>0 ? "ahead" : "behind", dbuf,
             delta>0 ? "behind" : "ahead");

comment:13 Changed 4 years ago by teor

Severity: Normal

This ticket now involves refactoring common message generation code out of connection_dir_client_reached_eof and or_state_load.

comment:14 Changed 4 years ago by teor

Resolution: fixed
Status: reopenedclosed

Closed in favour of the new ticket #17739.

Note: See TracTickets for help on using tickets.