OpenVPN, an open source VPN client on which a majority of VPN services rely, will be audited by cryptography and network security professor Matthew Green. The audit will be funded by Private Internet Access (opens in new tab) (PIA), one of the major VPN service providers in the United States.
Rise Of VPN In Surveillance States
Although VPN services saw much of their growth from customers looking to bypass geo-blocking of certain video streaming services, the new growth should be fueled by people’s desire to protect their privacy. With all the recent surveillance laws appearing in democratic countries, VPN services seem to have become more important than ever.
However, before using such a service, one also has to trust that it can guarantee the privacy it offers. Not too long ago we learned, thanks in part to Edward’s Snowden’s revelations but also to Dr. Green and his colleagues’ research, that up to two thirds of VPN service providers were vulnerable to NSA interception. That was because of the weak default Diffie-Hellman (DH) primes used by many internet servers, including VPN services, and the Logjam attack, which could downgrade connections to using the weak DH prime.
This sort of attack was believed to have been used by the NSA, and potentially other nation states, to easily spy on VPN users.
Dr. Matthew Green’s Audit
To ensure that such situations are avoided in the future and that there is no backdoor in the popular OpenVPN client used by most VPN service providers, Dr. Green will audit the open source software.
Dr. Green has also led the TrueCrypt audit project, has participated in the creation of Zerocoin/Z-cash privacy-friendly cryptocurrencies, has done research on Apple’s flawed iMessage encryption, and has commented on many other encryption and security issues more recently, including Android Nougat’s storage encryption weaknesses.
Dr. Green will audit version 2.4 of OpenVPN, which is the latest iteration (and is still in beta at the moment). As soon as it exits beta, the audit will commence.
“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” said Private Internet Access in a recent announcement.“Instead of going for a crowdfunded approach, Private Internet Access has elected to fund the entirety of the OpenVPN 2.4 audit ourselves because of the integral nature of OpenVPN to both the privacy community as a whole and our own company,” PIA added.
After the audit is complete, PIA will share the results with the OpenVPN project and will work with OpenVPN’s team to fix all the issues before making the results available to the public as well.