OpenVPN to Undergo Cryptographic Audit

Matthew D. Green, PhD, a well-known cryptographer and researcher at Johns Hopkins University, will carry out an audit of OpenVPN.

The next version of the open-source OpenVPN software will be audited by an well-known cryptographer.

It was announced Wednesday that Matthew D. Green, PhD, a cryptographer, computer science professor, and researcher at Johns Hopkins University will carry out an audit of the code currently available on Github.

Private Internet Access, one of the more popular mainstream VPN services, announced the news, confirming that it had contracted Green’s services to complete the audit as soon as OpenVPN 2.4 exits beta mode.

OpenVPN 2.4_rc1, released last Friday, is a candidate for the next stable version of the software.

“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” Caleb Chen, a Private Internet Access spokesperson said.

When reached Thursday, Chen told Threatpost that the OpenVPN 2.4 audit actually started weeks ago but that it’s difficult to pinpoint how long it will take.

“We’re unable to say exactly when it will come out or how long it will take since we don’t know when OpenVPN 2.4 will be fully released – or what vulnerabilities might need to be fixed before we release the final report. The current best estimates on when the final version of OpenVPN 2.4 will be out is mid January,” Chen said. “We can tentatively say that the OpenVPN 2.4 audit will be completed by early 2017.”

As part of the audit, the company claims it will work with OpenVPN to address any vulnerabilities found in the software and share the report with the project’s community before making the results public.

Green, who sits on the Open Crypto Audit Project’s Board of Directors, has experience carrying out intensive cryptographic audits. The OCAP helped organize an audit three years ago of the now-defunct TrueCrypt. The second phase of that audit, completed last year, revealed no backdoors and that TrueCrypt was a “well-designed piece of crypto software,” said Green. Auditors from NCC Group’s Cryptography Services arm found four vulnerabilities during the first phase of the audit in 2015 but none of them led to a bypass of confidentiality.

Private Internet Access, which is owned by Los Angeles-based London Trust Media, said Wednesday that it would fund the effort entirely. The move somewhat steals the thunder from smaller VPN services that had been working to fund an independent audit.

The Open Source Technology Improvement Fund, a non-profit that raises money for open source security projects, announced its plans to crowdfund an OpenVPN audit just over two weeks ago. Smaller personal VPN services like VikingVPN, NordVPN, SecureVPN.to, and ExpressVPN had already donated in excess of $5,000.

An OSTIF official said prior to this week’s news that while the organization hadn’t decided on an auditor, it was happy with how QuarksLab handled the VeraCrypt audit and that it had already ruled out NCC Group as several of OpenVPN’s developers are from FoxIT, a subsidiary of NCC Group.

Veracrypt, a fork of TrueCrypt, patched vulnerabilities uncovered in this summer’s audit, which was funded by the OSTIF, in October.

This story was updated at 5:30 p.m. EST with comments from Private Internet Access regarding a timeline around the audit OpenVPN

Suggested articles