This is how we verify the licence time
How do we know this cannot be exploited?
We contact the array of NTP servers by sending a very short 16 byte UDP message to pool.ntp.org requesting the current date/time. The 48 bytes returned are immediately interpreted, date extracted, and the message thrown away.
What sort of measures are done to protect us as a user of the software?
No other data is transferred to pool.ntp.org other than the 16 byte date/time request. The returned message is only used to extract the current date/time and validate your licence is valid.
Do you validate the time brought back?
Yes. We expected the return data to be a decimal number which represents the current date time. Only 48 bytes are accepted as a return response. Any other data is rejected. Any data that is not a decimal number is rejected.
Is the field limited in length?
Yes. Only 48 bytes are accepted as a response.