NTP security: NTS providers, chrony

U53R · October 28, 2025, 9:37am

On Linux (Ubuntu) I had just installed Chrony and entered server time.cloudflare.com nts to /etc/chrony/chrony.conf

This forces system to ask time via NTS (TLS) so nobody can intercept or spoof it.

So I think it will be good to add extended guide about this situations.

Regarding NTS servers, here what i found:

time.cloudflare.com
ptbtime1.ptb.de
nts.netnod.se

Plain NTP have plenty of issues and concerns. Detailed articles here, here and here

And even if it is not your threat model, there can always be someone with even higher threat models

phnx · October 28, 2025, 11:48am

I agree with recommending using NTS but I don’t think we can offer much value in terms of offering a specific configuration. I use and recommend the GrapheneOS chrony.conf

jarvis · January 29, 2026, 7:53am

It seems to be a real issue. I vote for such guide

U53R · February 6, 2026, 1:18pm

The main issue seems to be certificates errors. Attacker can make victim start to ignore warnings if it will happen all the time. Plus this can DOS some security systems that use TLS.

Topic		Replies	Views
NTP Provider Questions	5	818	July 28, 2024
DivestOS Questions Questions	4	438	November 28, 2024
What is the best way to synchronize files off a "hostile" network? General	4	405	February 18, 2024
A "Whonix" with secureblue instead of Kicksecure General browsers	7	1124	April 26, 2025
Time Accuracy Questions software	12	533	August 14, 2025

NTP security: NTS providers, chrony

Related topics