OpenVPN to Undergo Security Audit By Cryptography Expert

The next version of the open-source OpenVPN software will be audited by a well-known cryptographer. It was announced Wednesday that Matthew D. Green, PhD, a cryptographer, computer science professor, and researcher at Johns Hopkins University will carry out an audit of the code currently available on Github.

Private Internet Access, one of the more popular mainstream VPN services, announced the news, confirming that it had contracted Green’s services to complete the audit as soon as OpenVPN 2.4 exits beta mode.

OpenVPN 2.4_rc1, released last Friday, is a candidate for the next stable version of the software.

“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” Caleb Chen, a Private Internet Access spokesperson said.

As part of the audit, the company claims it will work with OpenVPN to address any vulnerabilities found in the software and share the report with the project’s community before making the results public.

Green, who sits on the Open Crypto Audit Project’s Board of Directors, has experience carrying out intensive cryptographic audits. The OCAP helped organise an audit three years ago of the now-defunct TrueCrypt. The second phase of that audit, completed last year, revealed no backdoors and that TrueCrypt was a “well-designed piece of crypto software,” said Green. Auditors from NCC Group’s Cryptography Services arm found four vulnerabilities during the first phase of the audit in 2015 but none of them led to a bypass of confidentiality.

Private Internet Access, which is owned by Los Angeles-based London Trust Media, said Wednesday that it would fund the effort entirely. The move somewhat steals the thunder from smaller VPN services that had been working to fund an independent audit.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Glove Stealer Emerges A New Malware Threat For Browsers

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA