1. 8

  2. 14

    I think it’s worth noting a few things. The flaws in “the NTP software” affect one implementation, not all. Ubuntu will simply set the time from a remote server, as opposed to skewing the clock, but that’s their dumb mistake, not inherent in NTP. (At least the article notes some systems are different.) The reflection attack with monlist is, of course, utterly stupid, but again, it’s a flaw in one implementation. You can use NTP without it.

    The TLS timestamp would be a good idea, except it’s not always there. libressl will always fill it in with a completely random value.