NTP/htpdate and other servers

de0u

H7oUt Doesn't NTS require security keys to work? I have settings for it on my MikroTik router, but i can't find a free NTS provider from which to obtain such keys.

I am neither an NTS expert nor a MikroTIk expert. If you are trying to configure a MikroTik router as an NTP server with NTS, I believe you will need to generate a key and also have a valid SSL certificate. But I believe NTS NTP clients trust servers in accordance with SSL certificates. You may wish to consult MikroTik documentation and/or the MikroTik user forum.

de0u

H7oUt And the issue with connections to GOS servers is that it gives away the fact that device uses GOS.

Concealing that a device is running GrapheneOS would take some work. The web site lists quite a few standard connections. As just one example, it would be necessary to disable the update client and sideload all updates manually.

According to the GrapheneOS documentation, it is currently possible to disable network time, and it sounds as if a well-written patch to use the standard AOSP network time code might be of interest.

GrapheneOS

de0u Setting connectivity checks to standard and using a VPN is all that's required since all the connections will go through a VPN. Trying to do it without using a VPN would mean disabling a bunch of important services resulting in not getting important updates and important functionality not working. It's not advisable to try to avoid networks knowing it's GrapheneOS without using a VPN. People should just combine changing the connectivity check setting with a widely used VPN and the network won't see it's GrapheneOS.

angela

[deleted] I also would prefer this as an option or to block all such connection except through 9050. I do not trust communications infrastructure to have built in tracking and I don't trust that infrastructure can't track ingress and express points to data centers, making tracking users trivial with VPNs trivial. I have seen things that make me think they can do this even with multihops. GOS users would be an attractive target for a government to track and not all GOS users live in areas with stable governments respectful of human rights. I would rather be logged going to a data center prior to my GOS-specific connections going through several nodes. There are likely other Tor users in a data center and even if this is all logged and can be disentangled, there's a greater processing cost making it less likely or slower to do.

GrapheneOS

de0u We aren't going to add NTS support ourselves and Android is highly unlikely to add it rather than replacing NTP with a different protocol. HTTPS with a warmed up connection and compensation for the round trip time is a better way to fetch time for mobile devices and is what we're doing. It avoids adding attack surface since most connections use TLS / HTTPS with the same implementation and it's more than good enough. It also works through a VPN, Tor, strict network filtering, etc. since it's simply a TCP connection via port 443 rather than UDP to the NTP port. NTP with NTS would run into even more problems with network filtering since highly filtered networks which made an exception for NTP are unlikely to have made an exception for the barely used NTS protocol with very low awareness and adoption.

GrapheneOS

H7oUt You can simply use a VPN in each profile and set the connectivity check servers to standard. Connecting to GrapheneOS services via a VPN avoids giving away that you use GrapheneOS to the networks you use. There are at least a couple highly trusted VPN providers supporting paying anonymously.

GrapheneOS

x-pve

Consider there are people which devices are not connected to internet; just to internal/private network. NTP server is available on this network, but just normal, insecure, but the network is trusted

Authentication should still be used on local networks. We aren't going to contribute to insecure practices based on trusting everything on a local network to be friendly. There isn't going to be any unauthenticated NTP support used by GrapheneOS.

The standard approach on Android is retrieving time from the cellular carrier with fallback to using the time obtained via NTP from a Google service. It actively uses both and simply ignores the time from SNTP when it has time from a carrier. Android also has support for using time from GNSS (satellite location services) but it's not used in the default AOSP configuration used for the stock Pixel OS or most other devices. GrapheneOS disables carrier-based time and replaces insecure NTP using a Google service with HTTPS-based network time using a GrapheneOS service. We could support using other sources of HTTPS-based time with the simple protocol we made (a custom header with more precise time) but we don't have any plan to use SNTP or NTP even with NTS.

x-pve

GrapheneOS
Thank you, but I'm still confused - in the FAQ - https://grapheneos.org/faq#default-connections

We plan to offer a toggle to use the standard functionality instead of HTTPS-based time updates in order to blend in with other devices.

is not valid anymore?

de0u

x-pve "Standard functionality" on that quote might mean "carrier time", which might be wrong but wouldn't stand out at all.

Ilgar

a) Block every connection to Graphene's servers within the OS.
b) Add custom NTP server address (IP) or other www

I second this. I'd add frequency of time sync, other HTTPS-based network time servers (for self hosting) and maybe ability to set many endpoints with randomisation.

mmobder

[deleted]
Setup RethinkDNS and block whatever you want. Good luck)

Ilgar

mmobder or split tunnel via vpn + block connections without vpn.

« Previous Page