AmiMoJo quotes the Register: The Internet Engineering Task Force has taken another small step in protecting everybody’s privacy… As the draft proposal explains, the RFCs that define NTP have what amounts to a convenience feature: packets going from client to server have the same set of fields as packets sent from servers to clients… “Populating these fields with accurate information is harmful to privacy of clients because it allows a passive observer to fingerprint clients and track them as they move across networks”. The header fields in question are Stratum, Root Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, and Receive Timestamp. The Origin Timestamp and Receive Timestamp offer a handy example or a “particularly severe information leak”. Under NTP’s spec (RFC 5905), clients copy the server’s most recent timestamp into their next request to a server – and that’s a boon to a snoop-level watcher.
The proposal “proposes backward-compatible updates to the Network Time
Protocol to strip unnecessary identifying information from client
requests and to improve resilience against blind spoofing of
unauthenticated server responses.” Specifically, client developers should set those fields to zero.
Read more of this story at Slashdot.