These are the projects that the Open Source Technology Improvement Fund supports when you donate. Each of them is carefully chosen based on its importance to data security and privacy, and how we view the relative need of the project for our support.
OpenSSL – The Open-Source cryptography suite that supports the backbone of the secure internet.
Importance of OpenSSL – OpenSSL powers the vast majority of the internet as it is used for Apache and Nginx web servers.
The marketshare for OpenSSL is enormous, as evidenced by this ongoing study:
Apache, Nginx, and “Google” all are dependent on OpenSSL cryptography.
This gives OpenSSL 54% of the Internet overall.
Of the top million busiest sites on the Internet OpenSSL is a dependency for 69%.
And that is just servers, there are thousands of apps with millions of users that also rely on OpenSSL for secure communication. This includes Google Android and Apple iOS which together encompass hundreds of millions of devices.
The reason that OpenSSL needs support – This project is largely unsupported by financial interests because there is no profit motive for OpenSSL. It doesn’t make money. It does, however, make the world of eCommerce go around. OpenSSL is getting ready for a partial audit. We will commission a deep audit of OpenSSL by a trusted authority, set up a bug bounty, and further fund development of existing and new code.
Recent OpenSSL Vulnerabilities of note:
Logjam – https://www.openssl.org/news/secadv_20150611.txt
FREAK (brand new) – http://arstechnica.com/security/2015/03/freak-flaw-in-android-and-apple-devices-cripples-https-crypto-protection/
Heartbleed – http://heartbleed.com/
CCS Inejction – https://access.redhat.com/articles/904433
Predictable Keys – http://en.wikipedia.org/wiki/OpenSSL#Predictable_keys_.28Debian-specific.29
Click here to see all of the OSTIF goals for OpenSSL.
OpenVPN – Point to point secure connections for business, home users, and government private networks.
Importance of OpenVPN – It is the only widely used Virtual Private Network software that is entirely open-source and not encumbered by patents, restrictive licensing, and other issues. It also has substantial flexibility and is a powerful tool for breaking through censorship blocks and surveillance. It is also supported by all major operating systems including all Linux Distros, Windows, Android, iOS, BSD, OpenWRT and OSX and it allows interoperability between all of these systems seamlessly (not a small feat).
The reason that OpenVPN needs support – Development is slow and the features of OpenVPN are falling behind the capabilities of Internet providers and nations to detect and interfere with OpenVPN connections. The cryptography (powered by OpenSSL, another OSTIF supported project) is believed to be sound, so the data cannot be read by outside parties, but the parties can detect the use of OpenVPN and cut off or slow the connection to the point of uselessness. Supporting the OpenVPN project would allow faster rollout of features to fight these techniques and increase trust in the OpenVPN platform with a professional audit of the code.
Click here to see all of the OSTIF goals for OpenVPN.
VeraCrypt – File, Container, and File System level encryption that also supports hidden files and strong cryptography.
Importance of VeraCrypt – File-system level encryption is critical to defend systems against physical compromise. If someone breaks into your home and steals your hard drive, or through some bug is able to pull the contents of your hard drive through the Internet, the data is completely useless without the decryption keys. File encryption is critical for businesses, transactional data, individuals, journalists, political dissidents, and research. VeraCrypt can be used to encrypt entire drives, or individual files, or even embed files inside of other files (such as a hidden zip file inside of a video file). It is a fork of the now-defunct TrueCrypt project, in which the developers mysteriously and simultaneously all abandoned the project just after a source code audit proved that the software was cryptographically sound and bug-free.
The reason that VeraCrypt needs support – It is believed that the TrueCrypt engineers were bullied into quitting the project by one or more governments. This explains their mysterious disappearance from the project after a decade of working on it. Because we know that the TrueCrypt software base is sound, the VeraCrypt project will be a worthy successor as it is built on that foundation. VeraCrypt has continued development of the source code, and fixed a number of small issues that were revealed by the security audit of TrueCrypt.
Click here to see all of the OSTIF goals for VeraCrypt.
GnuPG (also known as GPG) – GnuPG is the primary software engine used for PGP encryption for email.
Importance of GnuPG – It is one of the only projects that is actually verified to defeat NSA surveillance. There are Snowden leak slides of intercepted emails that the NSA could not decrypt via any method due to the use of GnuPG encryption. Without GPG or PGP encryption, email security is completely broken, and you are beholden to companies with questionable motives to secure your personal information.
The reason that GnuPG needs support – For a long time this project was ran by one man. It has recently received an influx of support in the form of donations to hire two full time programmers to assist with improving the project, but it needs more. The project needs an interface overhaul because while it does work, the interface is difficult and usability is in a “barely works” state for a layman. Even people with advanced computer knowledge struggle with the use of GnuPG due to it being user-unfriendly. As many in the security community agree, having a tool that works is not very useful if only a handful of people in the world can use it effectively. Steps need to be taken to get GnuPG into a state that is usable by a layman who doesn’t understand cryptography, and to get the GnuPG platform working on all forms of email including webmail.
Click here to see all of the OSTIF goals for GnuPG.
Off the Record Messaging (also known as OTR) – OTR is encrypted messaging over public chat networks.
Importance of OTR – There is strong evidence that OTR defeats mass surveillance. The fact that it works over most public chat networks and cross-platform makes it a powerful encryption tool for private messaging over untrusted chat networks.
The reason that OTR needs support – The project is ran by a small team and funding is needed to audit the software, implement new features, and get a bug bounty program implemented. The software has great fundamental functions and needs community support to become a worldwide-trusted encrypted chat platform.
Click here to see all of the OSTIF goals for OTR.
Other projects we like, but do not support (yet):
The Tor Project
NoScript (Firefox Plugin)
Tails (operating system)
QubesOS (operating system)
Projects we would like to see:
Open-source keystroke encryption
A project to enable users to check firmware for malware