Code audit for the Tor Project completed by Radically Open Security

by pavel | January 29, 2024

Between April 17, 2023, and August 13, 2023, Radically Open Security conducted a comprehensive code audit for the Tor Project, including reporting and optional retesting.

The code audit focused on several components of the Tor ecosystem:

  • Tor Browser and Tor Browser for Android,
  • Exit relays (Tor core),
  • Exposed services (metrics server, SWBS, Onionoo API),
  • Infrastructure components (monitoring & alert), and testing/profiling tools.

The primary objective was to assess software changes made to improve the Tor network's speed and reliability and a number of recommendations were made such as:

  • Reducing the potential attack surface of the public-facing infrastructure,
  • Addressing outdated libraries and software,
  • Implementing modern web security standards,
  • And following redirects in all HTTP clients by default.

Additionally, fixing issues related to denial-of-service vulnerabilities, local attacks, insecure permissions, and insufficient input validation was deemed imperative.

We would like to thank Radically Open Security for performing the audit and the U.S. State Department Bureau of Democracy, Human Rights, and Labor (DRL) for sponsoring this project and 'Making the Tor network faster & more reliable for users in Internet-repressive places’.


This is a companion discussion topic for the original entry at https://blog.torproject.org/code-audit-tor-ecosystem-components