ExpressVPN talks to Derek Zimmer: President and CEO of the Open Source Technology Improvement Fund (OSTIF), about his organization, the audit of OpenVPN, and the future of internet privacy tools.
The quotes (in red) published in this blog are snippets taken from the full interview with Derek which you can read in full here.
ExpressVPN proudly supported OSTIF’s audit.
Why it’s important to audit open-source projects like OpenVPN
Privacy-conscious and security related projects increasingly rely on open source software due to ideological reasons, licensing issues, and trust.
It’s the open nature of the software that allows anyone to see how it works and how to compile it—and keep control of what the code does.
In reality, however, few people can review and understand code fully, and while some nefarious behavior is obvious, vulnerabilities and bugs often take years to spot.
Full code reviews are expensive and difficult to carry out, and while many people and organizations might rely on a project, it’s hard to coordinate a full audit.
OSTIF decided to take on the daunting task, regardless. Derek explains that it took three researchers 50 days (or around 1000 hours) to complete the review. The version they audited was OpenVPN 2.4 because it includes some significant code changes and new features.
“OpenVPN is a unique piece of software, in that it’s a monolithic code with lots of features that must be compatible with older versions.”
OSTIF looked primarily at the Windows and Linux implementations because they’re the most familiar with users and developers.
“We also decided to focus on any cryptography created by OpenVPN itself, and the application’s security. This means looking for logic errors, memory allocation errors, improper buffer handling, or other improper error state vulnerabilities.”
OpenSSL, on which OpenVPN (together with PolarSSL) relies “to power its cryptography” wasn’t included in the audit and will have its own, separate review. There are thriving businesses that rely on OpenSSL or Nginx, and Derek hopes to fundraise from them.
Unfortunately, though, other large-scale privacy software projects, like OTR, Signal, or Tor have no vested commercial users, so the community will have to find a means to fund any audits themselves.
Finding funding for a full code audit
Previously, OSTIF had tried other means, including a Kickstarter to raise funds. Now, Derek aims to gather donors for each project individually, hopefully gaining more trust from the tech industry and community in the process. It’s hoped this approach will grant the ability to take on larger projects.
The OpenVPN audit was the first “wide” audit, as Derek puts it, that OSTIF undertook. Unlike their previous highly anticipated audit of Veracrypt (the successor of Truecrypt), OpenVPN has a thriving community of large VPN providers who are willing to contribute financially.
“I was surprised by the positive community response and the outpouring of support for the project. It truly was remarkable! I’m very happy with the community support for the project, but was also surprised at the number of larger organizations that didn’t respond to our inquiries or had no point of contact at all for their management.”
The evolving privacy and security industry
While Derek seems largely optimistic about the future of online security and privacy, he’s worried about “black boxes of code” and the millions of older, yet active, systems without recent security updates—particularly in the Android ecosystem.
Conversely, Apple puts tremendous resources into security. However, he says, Apple don’t open source their technology. Instead, they rely on their device security to keep unwanted malware researchers at bay—which is an untrustworthy setup.
It seems there are many tribulations to face. Ultimately, though, Derek and his team do an excellent service to the internet and the privacy of its users. But the fight is far from over:
“We’ve repeatedly seen through various government agency leaks that if the cryptography around the information is good, they can’t break it en-masse. This fact at least disables the “listening in on everyone” form of mass surveillance that has become pervasive in the last few years. As these privacy tools continue to improve and crypto becomes harder to break and easier to use, we’ll see substantially increased efforts to attack and compromise devices.”