Skip to main content

Cryptography Professor To Audit Open Source Software Used By Most VPN Services

OpenVPN, an open source VPN client on which a majority of VPN services rely, will be audited by cryptography and network security professor Matthew Green. The audit will be funded by Private Internet Access (PIA), one of the major VPN service providers in the United States.

Rise Of VPN In Surveillance States

Although VPN services saw much of their growth from customers looking to bypass geo-blocking of certain video streaming services, the new growth should be fueled by people’s desire to protect their privacy. With all the recent surveillance laws appearing in democratic countries, VPN services seem to have become more important than ever.

However, before using such a service, one also has to trust that it can guarantee the privacy it offers. Not too long ago we learned, thanks in part to Edward’s Snowden’s revelations but also to Dr. Green and his colleagues’ research, that up to two thirds of VPN service providers were vulnerable to NSA interception. That was because of the weak default Diffie-Hellman (DH) primes used by many internet servers, including VPN services, and the Logjam attack, which could downgrade connections to using the weak DH prime.

This sort of attack was believed to have been used by the NSA, and potentially other nation states, to easily spy on VPN users.

Dr. Matthew Green’s Audit

To ensure that such situations are avoided in the future and that there is no backdoor in the popular OpenVPN client used by most VPN service providers, Dr. Green will audit the open source software.

Dr. Green has also led the TrueCrypt audit project, has participated in the creation of Zerocoin/Z-cash privacy-friendly cryptocurrencies, has done research on Apple’s flawed iMessage encryption, and has commented on many other encryption and security issues more recently, including Android Nougat’s storage encryption weaknesses.

Dr. Green will audit version 2.4 of OpenVPN, which is the latest iteration (and is still in beta at the moment). As soon as it exits beta, the audit will commence.

“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” said Private Internet Access in a recent announcement.“Instead of going for a crowdfunded approach, Private Internet Access has elected to fund the entirety of the OpenVPN 2.4 audit ourselves because of the integral nature of OpenVPN to both the privacy community as a whole and our own company,” PIA added.

After the audit is complete, PIA will share the results with the OpenVPN project and will work with OpenVPN’s team to fix all the issues before making the results available to the public as well.

  • amk-aka-Phantom
    PIA just keeps getting better and better. Not only do they offer awesome service and clients for pretty much any relevant OS out there, update their software regularly and offer best pricing out of all commercial VPN solutions I've considered, but now they also show that they actually care about the cryptography behind their software. PIA, its users and the OpenVPN project will all benefit from this initiative.
    Reply
  • jdwii
    VPN of my choice
    Reply
  • sergey85
    PIA is one of the best paid vpns available today. They have stable connection, fair speed and wide range of servers. Most of all its price is affordable. They also have good reviews on other websites like https://vpntrends.com
    Reply
  • Seankay
    I would have to give it to PIA on this. It is a pretty service, but not the best in my opinion (since I have also used and found PureVPN, ExpressVPN, IP Vanish to be as good, if not better!) But the commitment and expertise PIA has shown in this case is commendable!
    Reply