Closed lee-b closed 2 months ago
smira
commented
2 months ago There is no default value that everyone would be happy with unfortunately.
If there are incidents with CloudFlare supplying malicious time data, we can reconsider the defaults.
Pool.ntp.org security might be seen as more questionable, as it is run by volunteers (or whatever other reason).
From a functional perspective CloudFlare provides a better default.
lee-b
commented
2 months ago Using multiple ntp servers would be a better approach, security wise. The configuration file having a list of servers but only one specified seems to suggest that it would be easy to use multiple servers by default. It the code doesn't actually support syncing against multiple servers, I'd suggest that should be revisited -- either fixing the code or using a tried and tested ntp/nts client.
smira
commented
2 months ago Talos does SNTP, but you can run chronyd/ntpd if you want more.
Bug Report
Description
Talos uses cloudflare as its ntp source. Time-sync is security-critical, and cloudflare is an untrustworthy actor both in terms of their actions (https://www.reddit.com/r/privacy/comments/15skzyo/what_about_cloudflare/; http://cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/) and also their own security (https://blog.cloudflare.com/thanksgiving-2023-security-incident ; https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html).
This should be removed, or at least not the default. At least with pool.ntp.org, people assume that's going to be the default setup and can act accordingly.
Logs
Environment