Hi. What are your thoughts on having an anonymity distro depend on Hidden Service descriptors for timesyncing purposes?
The only weakness identified is that if a Hidden service forges its descriptor timestamp deliberately, it could perform a time replay attack within an 18 hour window. How serious is this?
The Proposal we are considering is:
Use of Hidden Service descriptors to obtain more accurate time:
There are some problems with using Directory Authority consensus data, the only one IMO is the fuzzy window of three hours which makes it harder to set a realistic time.
My proposal is to have sdwdate query the DHT for specific Hidden Service descriptors from the HSDir Authorities without actually connecting to them and calculate a more finegrained time to set. Here is why i think its a good idea:
Descriptors contain a timestamp field which shows the time they are generated.Time reported is number of microseconds since 1970. Descriptors are signed by the HS and cannot be spoofed by the HSDirAuth. Descriptors are refreshed hourly.  A "malicious" HS that want to fool our time check has to go out of its way and forge the timestamp in its descriptor. If they are doing this by just running with a wrong clock, they will make themselves inaccessible. The damage is much limited (only and 18 hour window not 7 days) before HSDir Authorities reject these forgeries.  There does exist stable, available and friendly HS besides the TPO one that was taken down. The only addresses that will be used are ones in the "pal" pool. These will be Whistleblowing and Freedom friendly sites. Some suggestions: Wikileaks, RiseUp (each service they provide has a unique HS address assigned), TheNewyorker's SecureDrop service and probably more. The way to go about this is to fetch descriptors without connecting. The timestamps will be compared for to get an accurate reading.
A high time resolution is possible, we can pinpoint within that one hour range the probable time because each server was started at a different time than the other so it uploads its descriptor at asyncronously.
With 1400 HSAuth Dirs on the network, I don’t think there will be much of a load problem.