Fundraising for crucial new Open SSL security audit underway

OpenVPN, the encryption protocol favoured by most VPN providers these days, looks set to become even more secure thanks to a fresh audit that is planned by Open Source Technology Improvement Fund (OSTIF).

The 2017 OpenVPN security audit

Last year, we reported on an audit carried out by OSTIF and QuarksLab of the OpenVPN 2.4.0 protocol itself. This audit was looking for previously unidentified security vulnerabilities and other issues with the protocol which could make it vulnerable to hackers.

It proved to be a very worthwhile exercise with one critical vulnerability being spotted as well as a number of smaller issues. All software has such vulnerabilities, but it is vital that they are found by those who want to patch them rather than those who want to exploit them.

Regular security audits of this kind are therefore an essential part of keeping OpenVPN safe. This is why we at contributed to this important work, which helps to make all VPNs as safe as they can be.

OSTIF fundraising to help keep VPNs secure

We are therefore delighted that OSTIF is now raising funds to repeat the exercise this year. Earlier this month, they announced on their website a second round of fundraising towards a new security audit which is just as important for VPN security.

This time, instead of looking at the OpenVPN protocol itself, they intend to audit Open SSL. For those not already familiar with the term, Open SSL is a software security library for applications that helps to secure network communication.

While it may not been commonly known about, it is vitally important to many of the websites and online services that we use every day. According to OSTIF, more than 70% of the top 1 million websites rely on Open SSL. It is also essential for the OpenVPN protocol too.

Why this new audit matters to all VPN users

The reason that it is so important to hold this audit now is that Open SSL has recently upgraded to TLS version 1.3. This is the first major change to its security standards in more than a decade and, as you would expect, has resulted in a lot of new code being added.

Where there is new code, there is new possibilities for security vulnerabilities, and it is the purpose of this audit to try and identify such vulnerabilities and ensure that they are patched at the earliest opportunity.

The planned audit has garnered widespread support. The OpenVPN protocol developers themselves have described it as crucial and urged all users to back it. They have already donated US$5,000 themselves during the first round of funding. Many other experts have shared similar sentiments.

But perhaps the most impressive support to date has come from the privacy-focused search engine Duck Duck Go. They have pledged to match all donations made for the first four weeks of this second round of funding.

With a total of US$150,000 now needed to fund the audit in full, they are therefore potentially committing US$75,000 towards the audit.

How you can donate today

Unfortunately, funds raised so far have been low and it seems unlikely that Duck Duck Go will have to find anything like that amount.

The first round of funding only managed to reach 40% of its target amount and, despite having been online for nearly a month already, the second round isn’t fairing any better. This is despite OSTIF revising the project to cut the total funds needed by more than half, from the original figure of more than US$300,000.

But there is still time to donate and we would urge all readers who care about the security of their VPNs and themselves to contribute what they can. This link will take you to OSTIF’s Crowdrise page where you can donate today.

And if you head over there soon, you will still be able to double your donation thanks to the generosity of the good people at Duck Duck Go.

OpenVPN is the basis on which almost every major VPN provider bases its service by default. Other protocols are available, but OpenVPN is widely regarded as the best and the most secure. And it is one of the many online entities which is dependent on Open SSL.

That means that the proposed audit of Open SSL is essential to the long-term security and viability of OpenVPN. And while those companies operating in the online privacy are doing their bit, it is also down to those of us who benefit from their security products to do our bit too. This is our opportunity and I, for one, am heading over to make my donation right now.

Leave a Reply

Your email address will not be published. Required fields are marked *