5

It happened to me a few times that I installed a Windows PC after the CMOS battery has been replaced and all sorts of things stopped working or threw security warnings, only to realize that I just need to set the clock, or click on the sync button.

From the above experiences I deduced that time synchronization is important for security. Intuitively I feel like time synchronization is important, e.g. a certificate can be valid at a certain time, but revoked at a different time, but it's unclear how dangerous time missynchronization is.

If we consider the certificate example, I can imagine that the conversation between my browser and some certificate server goes like this example:

me: is this certificate legit right now (my current time: 1st of January 1970), cause I need to know if I can safely write my password on the bank's website?

server: this certificate is not legit right now (by the way, the current time is 29th of November 2020).

From the above conversation we can see that we can figure out whether a certificate is legit "right now" by asking about its "right now" status, regardless of the absolute time associated with it, so regardless of how wrong my time is set.

So, what kind of vulnerabilities exist on a PC with a wrong time, but otherwise as safe as any other PC with an up to date windows, and perhaps some antivirus software?

Assume the PC is used in a typical scenario, say, an office with important documents, but still human operated. The PC in question is not the one operating nuclear attacks, nuclear reactors, anything with nuclear in its title, or anything that can be considered a gun, or a bomb.

There is a similar question asked, but it only deals with a hacker having access to setting the time on a PC, I am more asking of the dangers of just having a wrong time set, which is otherwise working correctly.

Marcel
  • 3,494
  • 1
  • 18
  • 35
Andrei
  • 209
  • 1
  • 6
  • Is IoT manufacturing under the question scope? I have an answer for that – usr-local-ΕΨΗΕΛΩΝ Nov 29 '20 at 17:32
  • 4
    Certificate checking is usually done without contacting a server. If checking for revocation, you would ask a server for a crl or an ocsp response, both of which also are valid for a specific time period. If your computer time is in the past, an attacker could present you an expired certificate, for which the key has been compromised, and an old crl or ocsp response, which you would trust as at the time your computer thinks it is, all of those elements were valid. – user2313067 Nov 29 '20 at 18:36
  • And if the time is advanced, most https sites will be unreachable because the system will think the certificate has expired. – mti2935 Aug 26 '21 at 22:23

1 Answers1

1

If your time is wrong, this can lead to a system no longer being accessible. So the "otherwise working correctly" is limited. Many security protocols (ok, TLS not so much, except for CRLs) rely on time being synchronized more or less. For example: most Windows 10 systems fail when they are more than 5 minutes off (best practice Kerberos value).

Forensics is also a lot harder; you need to keep your time differences at hand when you are correlating logs. Also, when it comes to a court case, your explanations become hard to follow for non-technical people (f.e. judges) if the times don't match.

The same problem, for example, with a contract with a file date years back. To find the latest document: sort by date. Too bad that the contract with all the amendments you made has an earlier date than the original contract.

And your incremental backup may go wrong too.

So all sort of things go unpredictably wrong, sometimes in a way that will be detected much later. The influence will probably be more on the integrity and availability than on the confidentiality.

Ljm Dullaart
  • 1,897
  • 4
  • 11