https://letsencrypt.org/2024/06/24/ntpd-rs-deployment.html Skip navigation links Let's Encrypt * Documentation * Get Help * Donate + Make a Donation + Become a Sponsor + Current Sponsors and Funders + Get Involved * About Us + Let's Encrypt + Internet Security Research Group (ISRG) + Frequently Asked Questions (FAQ) + Shortening the Let's Encrypt Chain of Trust + Policy and Legal Repository + Service Status + Statistics + Careers + Contact + Blog * Languages [language-i] + English + Catala + Cestina + Greek + Polish + Tamil + Thai + Dansk + Deutsch + Espanol + Suomi + Francais + `bryt + Hungarian + Bahasa Indonesia + Italiano + Ri Ben Yu + hangugeo + Portugues do Brasil + Russkii + siNhl + Srpski + Svenska + Ukrayins'ka + Tieng Viet + Jian Ti Zhong Wen + Fan Ti Zhong Wen More Memory Safety for Let's Encrypt: Deploying ntpd-rs Jun 24, 2024 * Josh Aas When we look at the general security posture of Let's Encrypt, one of the things that worries us most is how much of the operating system and network infrastructure is written in unsafe languages like C and C++. The CA software itself is written in memory safe Golang, but from our server operating systems to our network equipment, lack of memory safety routinely leads to vulnerabilities that need patching. Partially for the sake of Let's Encrypt, and partially for the sake of the wider Internet, we started a new project called Prossimo in 2020. Prossimo's goal is to make some of the most critical software infrastructure for the Internet memory safe. Since then we've invested in a range of software components including the Rustls TLS library, Hickory DNS, River reverse proxy, sudo-rs, Rust support for the Linux kernel, and ntpd-rs. Let's Encrypt has now taken a step that was a long time in the making: we've deployed ntpd-rs, the first piece of memory safe software from Prossimo that has made it into the Let's Encrypt infrastructure. Most operating systems use the Network Time Protocol (NTP) to accurately determine what time it is. Keeping track of time is a critical task for an operating system, and since it involves interacting with the Internet it's important to make sure NTP implementations are secure. In April of 2022, Prossimo started work on a memory safe and generally more secure NTP implementation called ntpd-rs. Since then, the implementation has matured and is now maintained by Project Pendulum. In April of 2024 ntpd-rs was deployed to the Let's Encrypt staging environment, and as of now it's in production. Over the next few years we plan to continue replacing C or C++ software with memory safe alternatives in the Let's Encrypt infrastructure: OpenSSL and its derivatives with Rustls, our DNS software with Hickory, Nginx with River, and sudo with sudo-rs. Memory safety is just part of the overall security equation, but it's an important part and we're glad to be able to make these improvements. We depend on contributions from our community of users and supporters in order to provide our services. If your company or organization would like to sponsor Let's Encrypt please email us at sponsor@letsencrypt.org. We ask that you make an individual contribution if it is within your means. Support a more secure and privacy-respecting Web. Donate Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2023 Annual Report. 548 Market St, PMB 77519, San Francisco, CA 94104-5401, USA Send all mail or inquiries to: PO Box 18666, Minneapolis, MN 55418-0666, USA * GitHub * X * Mastodon View our privacy policy. View our trademark policy. Subscribe to our Newsletter