The next version of the open-source OpenVPN software will be audited by an well-known cryptographer.
It was announced Wednesday that Matthew D. Green, PhD, a cryptographer, computer science professor, and researcher at Johns Hopkins University will carry out an audit of the code currently available on Github.
Private Internet Access, one of the more popular mainstream VPN services, announced the news, confirming that it had contracted Green’s services to complete the audit as soon as OpenVPN 2.4 exits beta mode.
OpenVPN 2.4_rc1, released last Friday, is a candidate for the next stable version of the software.
“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” Caleb Chen, a Private Internet Access spokesperson said.
When reached Thursday, Chen told Threatpost that the OpenVPN 2.4 audit actually started weeks ago but that it’s difficult to pinpoint how long it will take.
As part of the audit, the company claims it will work with OpenVPN to address any vulnerabilities found in the software and share the report with the project’s community before making the results public.
Private Internet Access funds OpenVPN 2.4 audit by noted cryptographer Dr. Matthew Green https://t.co/0ybNJNlJaT
— Private Internet Access VPN (PIA) (@buyvpnservice) December 7, 2016
Green, who sits on the Open Crypto Audit Project’s Board of Directors, has experience carrying out intensive cryptographic audits. The OCAP helped organize an audit three years ago of the now-defunct TrueCrypt. The second phase of that audit, completed last year, revealed no backdoors and that TrueCrypt was a “well-designed piece of crypto software,” said Green. Auditors from NCC Group’s Cryptography Services arm found four vulnerabilities during the first phase of the audit in 2015 but none of them led to a bypass of confidentiality.
Private Internet Access, which is owned by Los Angeles-based London Trust Media, said Wednesday that it would fund the effort entirely. The move somewhat steals the thunder from smaller VPN services that had been working to fund an independent audit.
The Open Source Technology Improvement Fund, a non-profit that raises money for open source security projects, announced its plans to crowdfund an OpenVPN audit just over two weeks ago. Smaller personal VPN services like VikingVPN, NordVPN, SecureVPN.to, and ExpressVPN had already donated in excess of $5,000.
OSTIF is beginning it's fundraiser to audit @OpenVPN !
Support free software and strong encryption! Donate today!https://t.co/2xo3LH0D07
— OSTIF Official (@OSTIFofficial) November 22, 2016
An OSTIF official said prior to this week’s news that while the organization hadn’t decided on an auditor, it was happy with how QuarksLab handled the VeraCrypt audit and that it had already ruled out NCC Group as several of OpenVPN’s developers are from FoxIT, a subsidiary of NCC Group.
Veracrypt, a fork of TrueCrypt, patched vulnerabilities uncovered in this summer’s audit, which was funded by the OSTIF, in October.
This story was updated at 5:30 p.m. EST with comments from Private Internet Access regarding a timeline around the audit OpenVPN
