NTP/htpdate and other servers

[deleted]

I'd like to ask to add a possibility to:
a) Block every connection to Graphene's servers within the OS.
b) Add custom NTP server address (IP) or other www address/es to use htpdate to sync system clock.

unwat

[deleted]

Can I ask why? These connections can be forced through a VPN connection, so if you're worried about an ISP or government spying on you, a VPN is an easy way to kind of mitigate that.

I'm not personally all that knowledgeable about the underlying codebase for all of these services, but the issue would probably be that Android expects these kinds of data to be available via some external service. Simply removing them can break basic functionality.

All of these GrapheneOS servers that you're talking about are either (effectively) mirrors or proxies. The servers' configurations are all published on Github. Here's a list of links on the website to those servers' repositories.

Anyway, time server was one you specifically mentioned. I believe if you set time manually the system won't poll a time server. I could be wrong. You can try it out and test it with Pi-hole or something.

Lusca

[deleted]
I am going to assume you have read the website and are asking this as a feature. It would be an interesting addition to GOS.

For those who have not read the relevant information can be found here.

angela

[deleted] I also would prefer this as an option or to block all such connection except through 9050. I do not trust communications infrastructure to have built in tracking and I don't trust that infrastructure can't track ingress and express points to data centers, making tracking users trivial with VPNs trivial. I have seen things that make me think they can do this even with multihops. GOS users would be an attractive target for a government to track and not all GOS users live in areas with stable governments respectful of human rights. I would rather be logged going to a data center prior to my GOS-specific connections going through several nodes. There are likely other Tor users in a data center and even if this is all logged and can be disentangled, there's a greater processing cost making it less likely or slower to do.

[deleted]

unwat
The answer is pretty obvious. Developers of GOS which btw make great job should assume that GOS' users are more aware than regular Android users and they don't need to be patronized.

Let's put the subject "spying" on the side.
I want to choose servers which I want to use, I want block servers I don't want to connect to. It's simple.

GOS should make 0 literally zero connections wich are not approved by user.

Sure, I can set the time manually, but I need to have time up to date. I use i2pd router and Orbot on my phone. I must have very accurate time and I need to use NTP server or htpdate option at least.

unwat

[deleted] don't need to be patronized

If you're suggesting that I was being patronizing, then my apologies. I don't know you personally, so how am I supposed to know your skill level? I was trying to help, but it turns out you just want to make a feature request.

Also, I am not sure if I'm understanding what you wrote correctly, but just to make things clear, I'm just a community member. I'm not a GOS developer, nor affiliated with the project in any way besides being a community member.

I don't know why you don't just use Orbot's setting to use a new circuit for each destination address. Also, why you don't just whitelist apps to use the Orbot VPN. You can effectively block those connections this way.

GrapheneOS

NTP (Network Time Protocol) is insecure without NTS for authentication. Since Android's NTP implementation doesn't provide NTS, we don't use it and instead use a much simpler HTTPS-based approach which is going to depend on a header with a fine-grained timestamp since the TLS / HTTP time only has granularity to the second. We already support disabling network time connections, unlike Android. Other servers won't be implementing our custom protocol. Until Android has NTS support, there isn't a way to support secure network time in a standard way.

[deleted]

GrapheneOS
If you use “header with time stamps” why did you hard-coded only your server?
What is the problem to use other addresses?

If you use time stamp – which I really like and use it on other machines https://www.vervest.org/htp, don't you think that one address is not enough? Isn't better when it comes to accuracy to use multiple web addresses?

de0u

x-pve Any news about this topic? It's still not possible to use standard NTP protocol?

The answer given by the GrapheneOS project two years ago earlier in this thread (GrapheneOS) was that the project did not want to ship NTP without NTS and that AOSP did not include an implementation of NTS.

If there is news that the AOSP implementation of NTP now includes NTS, that would likely be welcome news. Or if a member of the community chose to contribute an implementation of NTS, and it were of high enough quality, that might change the situation.

But personally it doesn't seem very likely to me that the GrapheneOS project will suddenly decide to ship an NTP client without a way to secure the time, because running a device's time in reverse can enable replay attacks, and the project does not typically add low-security solutions when higher-security solutions exist.

Please note that I do not speak for the GrapheneOS project.

GrapheneOS

The standard timestamp is only 1s granularity so we need to move to using our own header as explained above. Using multiple would not improve it.

x-pve

Any news about this topic? It's still not possible to use standard NTP protocol?
Consider there are people which devices are not connected to internet; just to internal/private network. NTP server is available on this network, but just normal, insecure, but the network is trusted.
Other/custom IP doesn't mean a server on internet as well as wifi connection and internet are different things.

GrapheneOS

x-pve

Consider there are people which devices are not connected to internet; just to internal/private network. NTP server is available on this network, but just normal, insecure, but the network is trusted

Authentication should still be used on local networks. We aren't going to contribute to insecure practices based on trusting everything on a local network to be friendly. There isn't going to be any unauthenticated NTP support used by GrapheneOS.

The standard approach on Android is retrieving time from the cellular carrier with fallback to using the time obtained via NTP from a Google service. It actively uses both and simply ignores the time from SNTP when it has time from a carrier. Android also has support for using time from GNSS (satellite location services) but it's not used in the default AOSP configuration used for the stock Pixel OS or most other devices. GrapheneOS disables carrier-based time and replaces insecure NTP using a Google service with HTTPS-based network time using a GrapheneOS service. We could support using other sources of HTTPS-based time with the simple protocol we made (a custom header with more precise time) but we don't have any plan to use SNTP or NTP even with NTS.

GrapheneOS

de0u We aren't going to add NTS support ourselves and Android is highly unlikely to add it rather than replacing NTP with a different protocol. HTTPS with a warmed up connection and compensation for the round trip time is a better way to fetch time for mobile devices and is what we're doing. It avoids adding attack surface since most connections use TLS / HTTPS with the same implementation and it's more than good enough. It also works through a VPN, Tor, strict network filtering, etc. since it's simply a TCP connection via port 443 rather than UDP to the NTP port. NTP with NTS would run into even more problems with network filtering since highly filtered networks which made an exception for NTP are unlikely to have made an exception for the barely used NTS protocol with very low awareness and adoption.

H7oUt

Doesn't NTS require security keys to work? I have settings for it on my MikroTik router, but i can't find a free NTS provider from which to obtain such keys.

de0u

H7oUt Doesn't NTS require security keys to work? I have settings for it on my MikroTik router, but i can't find a free NTS provider from which to obtain such keys.

I am neither an NTS expert nor a MikroTIk expert. If you are trying to configure a MikroTik router as an NTP server with NTS, I believe you will need to generate a key and also have a valid SSL certificate. But I believe NTS NTP clients trust servers in accordance with SSL certificates. You may wish to consult MikroTik documentation and/or the MikroTik user forum.

H7oUt

And the issue with connections to GOS servers is that it gives away the fact that device uses GOS. That further allows to capture heartbeats for analysis.

de0u

H7oUt And the issue with connections to GOS servers is that it gives away the fact that device uses GOS.

Concealing that a device is running GrapheneOS would take some work. The web site lists quite a few standard connections. As just one example, it would be necessary to disable the update client and sideload all updates manually.

According to the GrapheneOS documentation, it is currently possible to disable network time, and it sounds as if a well-written patch to use the standard AOSP network time code might be of interest.

GrapheneOS

H7oUt You can simply use a VPN in each profile and set the connectivity check servers to standard. Connecting to GrapheneOS services via a VPN avoids giving away that you use GrapheneOS to the networks you use. There are at least a couple highly trusted VPN providers supporting paying anonymously.

GrapheneOS

de0u Setting connectivity checks to standard and using a VPN is all that's required since all the connections will go through a VPN. Trying to do it without using a VPN would mean disabling a bunch of important services resulting in not getting important updates and important functionality not working. It's not advisable to try to avoid networks knowing it's GrapheneOS without using a VPN. People should just combine changing the connectivity check setting with a widely used VPN and the network won't see it's GrapheneOS.

x-pve

GrapheneOS
Thank you, but I'm still confused - in the FAQ - https://grapheneos.org/faq#default-connections

We plan to offer a toggle to use the standard functionality instead of HTTPS-based time updates in order to blend in with other devices.

is not valid anymore?

de0u

x-pve "Standard functionality" on that quote might mean "carrier time", which might be wrong but wouldn't stand out at all.