Insecure time synchronization and leaking time data makes a variety of attacks possible. They are a subset of advanced deanonymization attacks. Vectors and mitigations are described below.
Replay Attacks Replaying older time allows:
- Feeding old Tor consensus.
- Feeding old/outdated/known vulnerable updates and (https) certificates. Cryptographic verification depends on system clock: A clock two years in past will accept certificates/updates, which have been expired/revoked for two years.
Remote Device Fingerprinting
- Clock leaks from software on the host and clock leaks from application-level protocols on Whonix-Workstation allow a passive adversary to easily link the anonymous and non-anonymous traffic to the same machine. Active clock skew attacks can trivially be mounted to deanonymize users.
Denial of Service
- The UDP based NTP protocol can be abused to send much larger replies that can overwhelm a system. These are known as amplification attacks.
Locating Onion Services
- Timers can leak data about CPU. Related activity data that can allow deanonymization of an Onion Service under some circumstances.
Remote Code Execution
- NTP is a buggy and ancient protocol. Flaws in NTP clients can be remotely exploited to give an attacker control over the system. The unencrypted and unauthenticated nature of NTP makes this trivial for network adversaries of any size. 
Certain properties of protocols leak clock information.
- NTP clients: Leak host time. Expose the system to all the types of attacks listed above.
- TCP Timestamps: Leak system information down to the millisecond. Leak system uptime. Allow fingerprinting of devices behind a router. Included in every TCP packet. 
- ICMP Timestamps: Leak host time in query replies.
- TCP Initial Sequence Numbers (ISNs): Even without fully leaking the host's clock, timers can be sources of side-channel attacks because they leak sensitive information about a system's CPU activity.  This information is leaked in any traffic sent over the clearnet and can be linked to maliciously induced load patterns on an Onion Site leading to deanonymization.
- Application-level traffic: Unlike privacy software developed by the Tor Project, internet-facing applications can leak clock information in their traffic. For example JS in browsers and timestamps in emails.
Its possible and practical to block all the clock leak vectors listed above. Its highly recommended for users needing a very high-level security and those running Onion Services to apply these measures.
On a GNU/Linux Host:
- Uninstall any NTP clients and disable systemd's timdatectl NTP synchronization feature.
- Disable TCP Timestamps via kernel sysctl. Note this boolean disables it for both IPv4 and IPv6 - both are controlled by the same sysctl option.
You need to add the following line to /etc/sysctl.conf or /etc/sysctl.d/tcp_timestamps.conf:
net.ipv4.tcp_timestamps = 0
To do that, you could use the following command.
echo "net.ipv4.tcp_timestamps = 0" > /etc/sysctl.d/tcp_timestamps.conf
To apply the sysctl settings without reboot, run the following command.
Check if it is really set.
- Block incoming ICMP messages (and any traffic in general) with iptables or any of its frontends.
- TCP Initial Sequence Numbers mitigation.
The artificially induced CPU-load temperature influences the timer crystal and skews its frequency. TCP ISNs are not going anywhere and are necessary from a security standpoint to prevent arbitrary TCP connection hijacking by non-global network adversaries.removing the timer output function from Linux's TCP ISN code.
- Application-level mitigation.
For application-level leak mitigation avoid sending any clearnet traffic. Without clock information leaking from the host, network adversaries have no non-anonymous timestamp sources to match this data with even when software on Whonix-Workstation misbehaves.
Whonix Solutions and Limitations
Whonix implements a secure time synchronization mechanism to replace NTP called sdwdate. sdwdate-gui is the GUI front-end. It was written with safety in mind and to avoid the many security pitfalls in NTP. NTP is also UDP based and cannot work over Tor. Onion Services must have an accurate clock to be reachable.
Sdwdate fetches its time exclusively from reputable sources (whistle-blowing and privacy friendly onion sites) that are highly likely to be hosted on different hardware. All while benefiting from Tor's end-to-end encryption.
Sdwdate can only protect against passive timestamp linking of data leaking from both the host and Whonix-Workstation but it cannot defend against an active attacker that compromises Whonix-Workstation. (clock correlation attack) They will be able to see the host clock when the VM is rebooted and link the time readings with host clock leaks. The only way to prevent this attack and many others is stop the leaks.
- See Tor Browser upstream bug #3059 for the types of application level leaks that happen: Find some way to deal with time-based fingerprints.
- - slide 9
Impressum | Datenschutz | Haftungsausschluss
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.