The Open-Source cryptography suite that supports the backbone of the secure internet.
Importance of OpenSSL:
OpenSSL powers the vast majority of the internet as it is used for Apache and Nginx web servers.
The marketshare for OpenSSL is enormous, as evidenced by this ongoing study:
Apache, Nginx, and “Google” all are dependent on OpenSSL cryptography. This gives OpenSSL 54% of the Internet overall. Of the top million busiest sites on the Internet OpenSSL is a dependency for 69%.
And that is just servers, there are thousands of apps with millions of users that also rely on OpenSSL for secure communication. This includes Google Android and Apple iOS which together encompass hundreds of millions of devices.
The reason OpenSSL needs support:
This project is largely unsupported by financial interests because there is no profit motive for OpenSSL. It doesn’t make money. It does, however, make the world of eCommerce go around. OpenSSL is getting ready for a partial audit. We will commission a deep audit of OpenSSL by a trusted authority, set up a bug bounty, and further fund development of existing and new code.
Recent OpenSSL vulnerabilities of note:
- Logjam – https://www.openssl.org/news/secadv_20150611.txt
- FREAK (brand new) – http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection/
- Heartbleed – http://heartbleed.com/
- CCS Injection –https://access.redhat.com/articles/904433
- Debian Predictable Keys – http://en.wikipedia.org/wiki/OpenSSL#Predictable_keys_.28Debian-specific.29
OpenSSL released a major update, version 1.1.1 on September 11, 2018, which included many new major features like TLS version 1.3 and a new Pseudorandom Number Generator.
OSTIF assisted with auditing two components of this release, an audit of the new PRNG here: https://ostif.org/our-review-of-the-openssl-1-1-1-random-number-generation-update/ and a full review of all of the new features here: https://ostif.org/the-ostif-and-quarkslab-audit-of-openssl-is-complete/
The OpenVPN project creates Virtual Private Network sofware that allows users to establish point-to-point, secure connections between business, home users, and government private networks.
Importance of OpenVPN:
It is the only widely used Virtual Private Network software that is entirely open-source and not encumbered by patents, restrictive licensing, and other issues. It also has substantial flexibility and is a powerful tool for breaking through censorship blocks and surveillance. It is also supported by all major operating systems including all Linux Distros, Windows, Android, iOS, BSD, OpenWRT and OSX and it allows interoperability between all of these systems seamlessly (not a small feat).
The reason OpenVPN needs support:
Development is slow and the features of OpenVPN are falling behind the capabilities of Internet providers and nations to detect and interfere with OpenVPN connections. The cryptography (powered by OpenSSL, another OSTIF supported project) is believed to be sound, so the data cannot be read by outside parties, but the parties can detect the use of OpenVPN and cut off or slow the connection to the point of uselessness. Supporting the OpenVPN project would allow faster rollout of features to fight these techniques and increase trust in the OpenVPN platform with a professional audit of the code.
OpenVPN version 2.4.0 was audited in May 2017.Here are the results of that audit: https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/
There is a major project underway now to develop obfuscation plugins for OpenVPN 2.5.0. These plugins will be designed to break through blocking by censorship systems. They are being developed in partnership with The Operator Foundation and Greatfire.org. More information will be released about this project and the progress of the plugins soon.
File, Container, and File System level encryption that also supports hidden files and strong cryptography.
Importance of VeraCrypt:
File-system level encryption is critical to defend systems against physical compromise. If someone breaks into your home and steals your hard drive, or through some bug is able to pull the contents of your hard drive through the Internet, the data is completely useless without the decryption keys. File encryption is critical for businesses, transactional data, individuals, journalists, political dissidents, and research. VeraCrypt can be used to encrypt entire drives, or individual files, or even embed files inside of other files (such as a hidden zip file inside of a video file). It is a fork of the now-defunct TrueCrypt project, in which the developers mysteriously and simultaneously all abandoned the project just after a source code audit proved that the software was cryptographically sound and bug-free.
The reason VeraCrypt needs support:
It is believed that the TrueCrypt engineers were bullied into quitting the project by one or more governments. This explains their mysterious disappearance from the project after a decade of working on it. Because we know that the TrueCrypt software base is sound, the VeraCrypt project will be a worthy successor as it is built on that foundation. VeraCrypt has continued development of the source code, and fixed a number of small issues that were revealed by the security audit of TrueCrypt.
VeraCrypt version 1.19 was audited in October 2016.Here are the results of that audit: https://ostif.org/the-veracrypt-audit-results/
Secure Domain Name Resolution for DNSSec and DNS-over-TLS.
Importance of Unbound DNS:
The Domain Name System was designed around the birth of the Internet as we know it. One of the key problems with the Domain Name System is that it is not surveillance or censorship resistant, and even worse, it is vulnerable to tampering via Spoofing and DNS Poisoning. New standards are being developed to correct these issues, by using certificates to verify the integrity of the domain names and by encrypting the data to prevent various types of information leaks. Unbound allows you to setup a DNS system that cannot be poisoned nor easily observed by outside parties.
The reason Unbound DNS needs support:
Unbound is a critical first building block in building secure applications. Many secure projects rely on Unbound to add a layer of reliability to the application that allows a developer to have a foundation for a secure environment. Unbound is used both on its own and inside of hundreds of secure apps.
An audit of Unbound DNS is currently under way. More information will be available soon!
Monero is a cryptocurrency that provides secure and private transactions across the globe.
Importance of Monero XMR:
Monero one of the leading cryptocurrency projects that focuses on retaining the privacy properties of cash. Monero XMR is designed to be a permissionless, fungible, worldwide currency that can be acquired and spent by anyone just like cash. Monero uses a combination of unique technologies to enable the required privacy layering that challenges projects around the world. It is surveillance and censorship resistant and the Monero blockchain is opaque.
The reason Monero needs support:
Monero is a unique project in many ways. Monero does not have a “pre-mine” nor any type of “tax” or “development fees.” The project is run entirely by volunteers and is fully open-source. Further, the Monero community of developers set aggressive targets for research and development, hardforking the network every six months to implement improvements to the project, something that many other projects resist. As a result, Monero has a fast development cycle, and the need for security review of the rapidly changing components is crucial to helping maintain the security of the currency overall. Monero also has one of the largest dev communities in the cryptocurrency space, and research and development are moving the needle for entire sectors of the cryptocurrency world.
An audit of Monero BulletProofs in partnership with QuarksLab was conducted on October 2018, the results can be viewed here: https://ostif.org/the-ostif-and-quarkslab-audit-of-monero-bulletproofs-is-complete-critical-bug-patched/
A second audit of Monero BulletProofs was conducted on July 2018, the results can be viewed here: https://ostif.org/the-quarkslab-and-kudelski-security-audits-of-monero-bulletproofs-are-complete/
Three audits of Monero RandomX are under way. Look for results soon! Two audits of Monero CLSAG are being negotiated. (one for cryptography and one for implementation)
Secure and private transactions using quantum-computing resistant cryptography.
Importance of Quantum Resistant Ledger QRL:
Quantum Resistant Ledger is a cryptocurrency project that focuses on implementing algorithms that resist quantum computing. This focus is crucially important because the rise of quantum computing gives unique mathematical shortcuts to many types of traditional cryptography. The focus on post-quantum cryptography gives QRL a unique position among blockchain projects, developing unique technology that may be needed by many other projects if/when more of the major hurdles for quantum computing are solved.
The reason QRL needs support:
The primary focus on post-quantum cryptography is unique among cryptocurrency projects, and its importance will come into focus as quantum computing at scale becomes viable. International standards bodies are taking the threat of quantum computers serious enough to develop countermeasures against it. CRYSTALS-KYBER and CRYSTALS-DILITHIUM used by QRL are algorithms that are in the NIST competition for a worldwide quantum-resistant key exchange algorithm and a quantum-resistant signature.
An audit of Quantum Resistant Ledger was conducted on Sept 2018, the results can be viewed here:
Other projects we like, but do not support (yet):
- Gnu Privacy Guard
- Apache HTTPD
- The Tor Project
- NoScript (Firefox Plugin)
- uBlock Origin and uMatrix
- Tails (operating system)
- QubesOS (operating system)
Projects we would like to see:
- Open-source keystroke encryption
- A project to enable users to check firmware for malware/tampering