[ntp:questions] SSL time request

Ryan Malayter malayter at gmail.com
Sat May 21 18:17:38 UTC 2011

On Thu, May 19, 2011 at 11:06 AM, Kevin Coulombe <stonkie at gmail.com> wrote:
> Hi,
> I'm looking into producing a 15 days demonstration version of an application
> for a client. I'm considering the use of an internet clock to validate this
> demo's duration, but a simple http request would be too easy to hack.
> Is there any way to request time in a secure manner such as an SSL
> connection. What I need is to validate that we are actually communicating
> with the "real" time server and that the message isn't tampered with.

The simplest "solution" for secure time with limited resolution would
be to do an HTTPS get to say https://www.isc.org/. Parse the Date
header returned. You can presumably trust that ISC keeps its web
server clock synced closely to UTC. Use more than one source if you
are paranoid.

If you're trying to protect yourself against a potentially"evil"
prospective customer running your software without a license, though,
this won't work if they are determined and moderately skilled. There
exist HTTP proxies that can act as a man-in-the-middle for HTTPS,
because the client controls the list of certificates that are trusted
(after all, they control the machine where the software is installed).
DRM of this sort is basically impossible - witness all the cracks of
DRM on video games, iTunes, Blu-Ray and other anti-piracy measures.
They all fall eventually, and only inconvenience legitimate customers.

DRM = fail. You are far better off protecting yourself with a paper
contract that gives you no-notice physical audit rights.


More information about the questions mailing list