ORC 15 and Radically Open Security
Here is the report if you just want to skip straight to the good stuff…
We are very excited to announce the release of ORC 15 in tandem with the results of our recent security audit that the release addresses. The audit was conducted by the non-profit security firm, Radically Open Security and funded by the Open Technology Fund’s Red Team Lab. We’ll briefly go over what was found and what we did about it in this release, but be sure to check out the complete report linked above.
Overall, we are very pleased with the results of the audit. While the object of the previous audit we had conducted by Least Authority was to identify structural issues with the protocol and use of Tor, the goal for this audit was to conduct more traditional penetration testing and identify implementation flaws.
To that end, the team identified critical CSRF (cross-site-request-forgery) vulnerabilities that could allow attackers to insert arbitrary references to files on the network into a user’s local list. That’s bad because it could be used to trick users into running malicious code! In order to combat this we implemented a CSRF token requirement for all requests.
Most of the other issues that were identified were resolved by upgrading some of our third-party dependencies and ensuring certain types of configuration is not allowed. The only issue that remains is that ORC’s resilience against Eclipse attacks is unknown. However, given that these types of identity attacks remain an area of active research and our existing mitigation strategy is still technically experimental, for now we are comfortable with continuing to iterate on this area of the network as real world scenarios can be observed and research into this area continues.
So go ahead and upgrade your ORC installations!
