Let's Encrypt is a community-controlled non-profit certificate authority that provides free certificates to everyone. announced about switching to using an NTP server ntpd-rs, written in Rust with security and stability in mind. The project is distributed under Apache 2.0 and MIT licenses, fully supports NTP and NTS (Network Time Security) protocols at the client and server levels, and can be used as a replacement for NTP servers chrony, ntpd And NTPsec.
The ntpd-rs package was earned as part of the project Prossimo, developing under the auspices of the ISRG organization (Internet Security Research Group), which is the founder of the Let's Encrypt project and promotes HTTPS and the development of technologies to increase the security of the Internet. In addition to ntpd-rs, the project is also developing the Rustls TLS library, the Hickory DNS server, the River reverse proxy, the sudo-rs utility, and components for the Linux kernel in Rust.
It is expected that the use of ntpd-rs will increase the security of the Let's Encrypt infrastructure and reduce the likelihood of vulnerabilities caused by errors when working with memory. In addition, the security and reliability of the time synchronization system is important because manipulation of the wrong time by attackers can be used to compromise the security of time-aware protocols such as TLS. For example, changing the time can lead to misinterpretation of data about the validity of TLS certificates.
The Let's Encrypt certification authority generates more than four million new certificates every day. Number of active certificates amounts to 372 million (certificate is valid for three months). These certificates cover more than 128 million registered domains and 428 million fully qualified domain names (FQDNs). In April, ntpd-rs was used in the Let's Encrypt test environment, and now the main production systems have been transferred to it. In the future, Let's Encrypt plans to continue implementing systems in the Rust language, in particular it is planned to replace OpenSSL with Rustlsuse it as a DNS server HickoryNginx replace with Riverand instead of sudo use sudo-rs.
Thanks for reading: