Least Authority’s Security Audit of ORC
If you want to skip my overview and get straight to the report, it’s available here.
At long last, we have completed our first security audit. The audit was conducted by Least Authority and we are very pleased with the results!
This is a particularly exciting milestone for the ORC project because we have been holding off on dubbing ORC “production ready” until we could fund such an audit. We chose Least Authority to conduct the audit, primarily because of the relevant experience of the team. The audit was conducted by Meejah (author of txtorcon) and Dominic Tarr (author of Secure Scuttlebutt).
Having the combined experience of working on Tor and building distributed systems in Node instilled great confidence in the audit team. The primary goals for this audit were: a.) to identity anything in ORC’s use of Tor that could be exploited to de-anonymize users, b.) ensure the proper handling of secrets, and c.) determine if there were issues in the peer-to-peer architecture that could be exploited to disrupt or subvert operations.
And as it turned out, there were some pretty critical issues that we are glad were identified, because now ORC is more resilient and stronger than ever before. Feedback and discussions with the team during the audit also led to a pretty radical re-architecture of the components affecting trust and content distribution (and as a result invalidated Issue B).
The only issue left open and unresolved (Issue D), remains such because the way ORC nodes generate identities is part of an entire class of wider research in distributed systems. We feel comfortable with this simple fact of life that there will always be some uncertainty when inventing new solutions to hard problems. Our next security milestone will be conducting another security audit through Radically Open Security focused on penetration testing the peer-to-peer RPCs and controller APIs.
We’d like to thank John McAleer, founder of the privacy-oriented social app ANTI, for generously funding this audit so that we can start to bring ORC to journalists and activists around the world. Check out the full report to get the full details on what was identified and what was done to address it. ORC 14 is now released. Check out the project’s website to learn how to volunteer to run a node and help protect journalists or install our desktop application to use the ORC network!
