The Open Source Technology Improvement Fund (OSTIF) has reached its goal of $71,000 in a fundraiser that will be used to audit the popular VPN encryption protocol OpenVPN. OpenVPN is already recognized as the industry leading VPN protocol and is always our recommended protocol for VPN users here at BestVPN.com. The audit, however, will help to highlight the main areas for improvement and will allow the VPN community to clearly focus on ways to improve their custom VPN clients going forward.
OSTIF is a nonprofit organization that raises funding for open source technology projects. Its aim is to provide logistical support to help enhance the security of those technologies. That, of course, is the beauty of Open Source technologies, the software’s source code is specifically licensed in a way that makes it legal for anybody to study, change, and distribute that code for any reason it sees fit.
With the source code available for scrutiny, independent bodies like OSTIF can go ahead and audit that code to discover security flaws or to find areas within the technology that can be improved. The audit fundraiser, which has reached its goal two weeks before expected, is great news for VPN users and is strongly supported by us here at BestVPN.com where we look forward to the outcome of the independent investigation.
Donations still welcome
For now, despite having raised its goal, the fundraiser will continue until the close date of January 1st, 2017. According to OSTIF any further donations will be used as follows,
“The overflow funds are being reserved for the bug bounty program that will begin after the OpenSSL audit finishes in mid-2017. This will be a program where researchers can submit new security bugs to the developers of the projects that have already been audited by OSTIF for up to $5000 in rewards. When this program begins, it will cover VeraCrypt, OpenVPN, and OpenSSL and OSTIF will need a $50,000 pool to set aside for award payouts that will need to be periodically replenished by donations overages from other projects”
Commenting on the success of the fundraiser, OSTIF explains that the goal was met quickly due to overwhelming support from the community as a whole, which now includes a coalition of 33 companies and large amounts of individuals who contributed and helped to advertise the campaign further.
In particular, OSTIF credits two of its most generous donors, Private Internet Access, and iPredator, whose contributions single-handedly managed to raise half of the total goal of $71,000. The famous privacy-conscious search engine Duck Duck Go was also a large contributor to the cause stumping up $25,000. The organization has also given its thanks to the Reddit community for helping to spread the word about the project.
Among the contributors were a number of VPN providers including ExpressVPN, a VPN that we often recommend (because it implements OpenVPN to a very high standard). In addition, of course, BestVPN.com also made a contribution to the worthy cause.
Here at BestVPN.com we are incredibly well positioned to help by setting up some kind of framework for auditing VPNs using the information from the study. For that reason, we are firmly looking forward to the outcome of the audit and will be using the information that it uncovers about OpenVPN to help us review VPN encryption implementation in the future.
Complex auditing process
As OSTIF explains on its website, auditing encryption software is highly critical – and is the very reason that OpenVPN is open source in the first place. Checking encryption software is no easy feat, either, because it requires leading-edge knowledge in various entirely independent fields of computing. OSTIF explains the tough process as follows,
“Auditing is a complex and labor-intensive process. The most simple type is basic scanning by specialized software to look for errors in code that can lead to security vulnerabilities. There’s also more complex types which involve looking at the code line-by-line for common coding errors that software will routinely miss, but still create flaws, and the most advanced type of auditing involves threat modeling, which is the process of figuring out the sophistication of a likely attacker, and how they would try to attack the software, and then manually searching for flaws in the software based on how it actually behaves, as well as taking a look at the most important pieces of the source code. OSTIF hires individuals and firms to look at the source code of the supported applications using all of the available methods listed here.”
With the funds now raised, OSTIF will be contacting QuarksLab to hire two two senior researchers to carry out the audit. They will work alongside Dr. Matthew Green, a world-renowned cryptographer who will closely analyze the core cryptography of OpenVPN. The research team will focus on vital aspects like software vulnerabilities and exploit analysis to come to their necessary conclusions.
High profile team
PIA had the following to say about Dr. Green’s involvement,
“Private Internet Access is happy to announce that an OpenVPN 2.4 audit is going to be completed by noted cryptographer Dr. Matthew Green, assistant professor at the Johns Hopkins Information Security Institute. Dr. Green has a long, distinguished history in the fields of applied cryptography and cryptographic engineering and has previously lead the Truecrypt audit.”
Although not absolutely confirmed yet, OSTIF is hoping that the QuaksLab team will be headed up by Gabriel Campana. He recently worked on the impressive Qubes OS + Xen Paravirtualization escape exploit, which allowed him to take control of a Xen-based running Qubes OS, one of the most secure Linux distros today. That is an impressive accomplishment, and because of his background auditing set top boxes, there is no wonder that he is wanted for the job.
It is expected that results from the audit will be ready to be published halfway through 2017.In the meantime, anybody that wants to contribute may do so through their website. The donation will go toward the highly useful bug bounty program, which will commence once the current audits are complete. It will allow, researchers to “submit new security bugs to the developers of the projects that have already been audited by OSTIF for up to $5000 in rewards”.
Anybody interested in a VPN with good OpenVPN implementation is encouraged to look at our top 5 providers list here.