Hi cho,
Thanks for your post. I agree with you. Generally speaking, Secure Time Seeding (STS) was added to Windows 10 in 2015. The feature is intended to correct discrepancies between the time set in the system and the actual time – primarily when a computer’s battery feeding the internal real-time clock dies and the time settings have nothing in common with reality. Most importantly, STS is able to correct the system time without accessing the current-time servers.
But why is such a correction of time discrepancies even needed? Oddly enough, for security. Typically, client-server data exchange (including system connection to the internet time servers) is protected with SSL/TLS encryption protocols. To establish such a connection with the server, the client first needs to verify its digital certificate, and these certificates have a certain validity period. Therefore, if the time in the system is set with a significant error, the certificate may be considered expired, and a secure connection won’t be established.
So a vicious circle appears: in order to find out the current time, the computer needs to know the current time. It doesn’t have to be perfectly accurate; the approximate time can work too. But the greater the difference between the system time and the actual time, the greater the chance the certificate will get flagged as expired.
STS introduces (at least in its developers’ minds) a way for the system to automatically identify and correct major discrepancies, even when a secure connection cannot be established with any server. This is achieved by using current timestamps and digital-certificate expiry dates contained in the data sent by the servers to the client during the initial establishment of a secure connection (the SSL and TLS handshakes).
The exact algorithm of STS is unknown. But the general idea is that Windows pulls data from the SSL handshake and uses it to compute a reliable range for the current time and assign it a probability. As new data becomes available, the range is updated, and the probability can gradually increase. When it reaches a certain threshold, STS decides to change the system time to the median time from the range it deems reliable. In theory, such precision should suffice to establish a secure connection, connect to a current time server, and get the precise time.
Best Regards,
Ian Xue
If the Answer is helpful, please click "Accept Answer" and upvote it.