Time Synchronization

Time synchronization is vital for anonymity and security. A wrong system clock can leave you open to replay attacks by feeding you an old Tor consensus or old versions of software/https certificates, de-anonymization of users and onion services, linking sessions to the same pseudonym and clock skew fingerprinting.

NTP

NTP is very insecure as it is unencrypted, unauthenticated and leaks your local computer time in NTP timestamp format which can be used for clock skew fingerprinting. Because of that, it is disabled by masking systemd-timesyncd and not installing or enabling any other NTP clients.

There is authentication for NTP called autokey but this is insecure and doesn't solve the problem of clock skew fingerprinting.

It also uses UDP so it can't be routed through Tor and is vulnerable to amplifications attacks (a type of DoS).

Implementation

Obscurix uses a tool I developed called Secure Time Synchronization. It randomly selects a website out of a pool of carefully chosen websites, connects to it, extracts the current UTC time out of the http headers and sets that as the system time. It uses onion services where possible and if the website doesn't have an onion service, it uses TLS. This makes it encrypted, authenticated and anonymous without leaking the time. It's configured to go through its own SocksPort for stream isolation and also has minimal attack surface.

More information can be found in the readme.

Obscurix uses a systemd service (secure-time-sync.service) to run it at boot.

The hardware clock is not affected by this as it would leave a trace on the hardware which is the exact opposite of what Obscurix is trying to do.