Code audit for the Tor Project completed by Radically Open Security

News
1

by pavel | January 29, 2024

lead.png1200Ă—675 129 KB

Between April 17, 2023, and August 13, 2023, Radically Open Security conducted a comprehensive code audit for the Tor Project, including reporting and optional retesting.

The code audit focused on several components of the Tor ecosystem:

  • Tor Browser and Tor Browser for Android,
  • Exit relays (Tor core),
  • Exposed services (metrics server, SWBS, Onionoo API),
  • Infrastructure components (monitoring & alert), and testing/profiling tools.

The primary objective was to assess software changes made to improve the Tor network's speed and reliability and a number of recommendations were made such as:

  • Reducing the potential attack surface of the public-facing infrastructure,
  • Addressing outdated libraries and software,
  • Implementing modern web security standards,
  • And following redirects in all HTTP clients by default.

Additionally, fixing issues related to denial-of-service vulnerabilities, local attacks, insecure permissions, and insufficient input validation was deemed imperative.

We would like to thank Radically Open Security for performing the audit and the U.S. State Department Bureau of Democracy, Human Rights, and Labor (DRL) for sponsoring this project and 'Making the Tor network faster & more reliable for users in Internet-repressive places’.

This is a companion discussion topic for the original entry at https://blog.torproject.org/code-audit-tor-ecosystem-components
2 Likes
2

Did they find tor to be secure or insecure? How does this compare to the Cure53 audit?

2 Likes
3

@Zhk2stsf It is difficult to categorically state “Tor is secure” or “Tor is insecure” as Tor is many different components and the the auditors only focused on specific areas of Tor, not everything. In particular for this audit you asked about, they looked at Tor Browser and Tor Browser for Android, exposed metrics services, monitoring and alerting infrastructure, bandwidth authority scanning, and exit relays.

You can read the complete audit report for more details but the audit uncovered a few security issues that have since been mitigated.

There have actually been two Cure53 audits, both of which addressed different components entirely. The first one addressed methods that users use to connect to bridges in Tor Browser, as well as OONI Probe, rdsys, BridgeDB and Conjure. The second audit by Cure53 looked at Webtunnel, Lox, RdSys, ConnectionAssist, and OnionShare.

In general, the auditors have remarked that Tor, in general, adopts an “admirably robust and hardened security posture and sound design decisions”, and that we work “towards a considerable defense-in-depth security posture”.

I’ve linked to all the full reports above, if you would like to look at them for more information.

4 Likes