Code audit for the Tor Project completed by Radically Open Security
Between April 17, 2023, and August 13, 2023, Radically Open Security conducted a comprehensive code audit for the Tor Project, including reporting and optional retesting.
The code audit focused on several components of the Tor ecosystem:
- Tor Browser and Tor Browser for Android,
- Exit relays (Tor core),
- Exposed services (metrics server, SWBS, Onionoo API),
- Infrastructure components (monitoring & alert), and testing/profiling tools.
The primary objective was to assess software changes made to improve the Tor network's speed and reliability and a number of recommendations were made such as:
- Reducing the potential attack surface of the public-facing infrastructure,
- Addressing outdated libraries and software,
- Implementing modern web security standards,
- And following redirects in all HTTP clients by default.
Additionally, fixing issues related to denial-of-service vulnerabilities, local attacks, insecure permissions, and insufficient input validation was deemed imperative.
We would like to thank Radically Open Security for performing the audit and the U.S. State Department Bureau of Democracy, Human Rights, and Labor (DRL) for sponsoring this project and 'Making the Tor network faster & more reliable for users in Internet-repressive places’.
Comments
We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the moderators. Please do not comment as a way to receive support or to report bugs on a post unrelated to a release. If you are looking for support, please see our FAQ, user support forum or ways to get in touch with us.