System time in anonymity oriented LiveCDs

anonym anonym at
Mon Jan 3 15:06:44 UTC 2011

Hi list,

One issue for anonymity-oriented LiveCDs (such as T(A)ILS[1] and Liberté
Linux[2]) is the system time. Tor requires a reasonably correct system
time, otherwise no circuits will be opened. This is a major problem for
these LiveCDs since they generally route all traffic through Tor
transparently (using netfilter/iptables and the like) so no Tor circuits
implies no network access for the user.

The obvious fix might seem to be to run something like NTP before Tor
starts, but since NTP isn't authenticated at the moment[3] an adversary
could intercept the NTP sync and force a crafted time on the user which
later can be used to fingerprint the user if s/he uses some
protocol/application which leaks system time. Hence NTP is out of the

Liberté Linux has a novel solution to this problem[4] -- it sets the
system time according to the Tor consensus' valid-after/until values,
which essentially removes Tor's time skew check. We T(A)ILS developers
are tempted to implement the same solution, but first we'd like to ask
here if this is safe, or if it opens up for any unexpected type of
attacks or problems.

If any one has a completely different solution for the system time issue
we're very interested in hearing that out as well.


[3] Public key authentication is in the works, supposedly, but we need a
working solution _now_.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the tor-talk mailing list