NTP/htpdate and other servers

[deleted]

I'd like to ask to add a possibility to:
a) Block every connection to Graphene's servers within the OS.
b) Add custom NTP server address (IP) or other www address/es to use htpdate to sync system clock.

unwat

[deleted]

Can I ask why? These connections can be forced through a VPN connection, so if you're worried about an ISP or government spying on you, a VPN is an easy way to kind of mitigate that.

I'm not personally all that knowledgeable about the underlying codebase for all of these services, but the issue would probably be that Android expects these kinds of data to be available via some external service. Simply removing them can break basic functionality.

All of these GrapheneOS servers that you're talking about are either (effectively) mirrors or proxies. The servers' configurations are all published on Github. Here's a list of links on the website to those servers' repositories.

Anyway, time server was one you specifically mentioned. I believe if you set time manually the system won't poll a time server. I could be wrong. You can try it out and test it with Pi-hole or something.

Lusca

[deleted]
I am going to assume you have read the website and are asking this as a feature. It would be an interesting addition to GOS.

For those who have not read the relevant information can be found here.

[deleted]

unwat
The answer is pretty obvious. Developers of GOS which btw make great job should assume that GOS' users are more aware than regular Android users and they don't need to be patronized.

Let's put the subject "spying" on the side.
I want to choose servers which I want to use, I want block servers I don't want to connect to. It's simple.

GOS should make 0 literally zero connections wich are not approved by user.

Sure, I can set the time manually, but I need to have time up to date. I use i2pd router and Orbot on my phone. I must have very accurate time and I need to use NTP server or htpdate option at least.

unwat

[deleted] don't need to be patronized

If you're suggesting that I was being patronizing, then my apologies. I don't know you personally, so how am I supposed to know your skill level? I was trying to help, but it turns out you just want to make a feature request.

Also, I am not sure if I'm understanding what you wrote correctly, but just to make things clear, I'm just a community member. I'm not a GOS developer, nor affiliated with the project in any way besides being a community member.

I don't know why you don't just use Orbot's setting to use a new circuit for each destination address. Also, why you don't just whitelist apps to use the Orbot VPN. You can effectively block those connections this way.

GrapheneOS

NTP (Network Time Protocol) is insecure without NTS for authentication. Since Android's NTP implementation doesn't provide NTS, we don't use it and instead use a much simpler HTTPS-based approach which is going to depend on a header with a fine-grained timestamp since the TLS / HTTP time only has granularity to the second. We already support disabling network time connections, unlike Android. Other servers won't be implementing our custom protocol. Until Android has NTS support, there isn't a way to support secure network time in a standard way.

[deleted]

GrapheneOS
If you use “header with time stamps” why did you hard-coded only your server?
What is the problem to use other addresses?

If you use time stamp – which I really like and use it on other machines https://www.vervest.org/htp, don't you think that one address is not enough? Isn't better when it comes to accuracy to use multiple web addresses?

GrapheneOS

The standard timestamp is only 1s granularity so we need to move to using our own header as explained above. Using multiple would not improve it.