From:  Kevin Chadwick <>
Date:  16 Feb 2018 19:34:03 Hong Kong Time

Re: TLS everywhere has a major flaw and needs refining to the page level.


On Thu, 15 Feb 2018 15:55:27 -0600

> I'm not sure this can be worked around. A setup where time is not
> pulled from the network is abnormal now, and most people who have such
> a system soon realize what the issue is.

OpenNTP has a constraint system but considering NTP is a latent,
insecure, untrusted server protocol, synchronising the clock in one go
is not the recommended default. Instead it used https constraints and 8
UDP server samples before skewing slightly.

I don't know if the windows version is a less latent but secured

> The certificate warnings are a good reminder to update my clock
> (seriously). Perhaps offer this information on the error page?

Yeah, I don't think the messages are as clear these days as to what the
issue is. The idea being to reduce click through, perhaps they could
manually update their clock in that case but not understand the
messages otherwise or been taught to stop when strange things happen
or not to click on error boxes.

On that subject I think the chromium reported plan to label sites as
insecure should perhaps be revised to page insecured or something more

Additionally it infers sites labelled secure or not labelled insecure
are secure when they may have terrible security but utilise TLS.