#NTP servers with NTS support

NTP is a prime example of where encryption is really unnecessary.

https://tenor.com/view/change-my-mind-gif-11630051

Timing attacks? BGP route hijacks? Amplification/Reflection attacks?

I think it's more than warranted. Plus, NTS is designed to be low latency.

99% of BGP hijacks are due to either a lack of RPKI or a lack of RPKI validation. Timing attacks are possible without NTP, in fact, data centres do not use NTP, but PTP. So idk

Timing attacks against your Windows machine on a LAN network or what? 😂

Just in general.

There could be someone on the wire, you never know. In security always assume a system is compromised until proven otherwise

NTP fails to prove otherwise

It uses UDP, a connectionless, spoofable protocol, with zero if not minimal authentication

So therefore you risk things like result spoofing, and vice versa. So yes, timing attacks can indeed happen if using 3P ntp servers.

the two biggest DDoS vectors in history and still to this day are DNS and NTP

critical protocols we can't just switch off

NTS solves the latency problem by doing handshakes beforehand, and then can be complimented with encrypted DNS and DNSSEC to prevent spoofing on that side of things.

Even if an MITM or route hijack happened, NTS is resistant due to the handshake

As is the case in regards to DoT, DoQ, and DoH vs DoUDP / DoTCP

So, TLDR; @arctic raptor, I ask you this: do you support encrypted DNS, and do you support DNSSEC? If so, you criticizing NTS is hypocritical. NTP and DNS are two highly critical protocols, securing them is a net positive regardless.

But anyway, I digress. You can disagree if you wish but I hope you understand my reasoning for backing it now.

Well, it does affect security, but I use it for privacy reasons, not security. So yes I DO SUPPORT Encrypted DNS. But, it's not that hard to find out that most internet users do not use encrypted DNS. The most common issues in the DNS world are reflection DOS attacks and domain hijacking via forgotten NS servers. It's not the fact that it's unencrypted. DNS spoofing is a real thing, and encryption does help mitigate it, but it's primarily a problem in LANs. Encrypted DNS is also not recommended and used in high performance applications, as it requires much more CPU and is much slower. So while encrypting everything might seem like a good idea, it's not necessary for everything.

It's also a very reliable source of information that, if you look back 10 years, the biggest hacks virtually didn't mention anything about DNS or DNS spoofing. You can't hear anything about NTP ethier, other than the DDoS attacks. So while I understand your statement, I disagree with it. Encryption is not always a good idea, especially in high performance applications.

Whilst I see your point, I would argue unless you were happy to send all your general web traffic over HTTP, you shouldn't be making arguments like this.

There is a reason HPKP was created, then HSTS.

And there is further reason why browsers took it upon themselves to merge the logic from HTTPS Everywhere into themselves