NEWS: OpenVPN will be audited for security flaws by Matthew Green, funded by Private Internet Access

Summation of the articles:

Private Internet Access (PIA), a popular VPN provider, has decided to entirely fund a security audit of OpenVPN 2.4, the current release candidate for the next major stable version (OpenVPN 2.4_rc1 was just released last friday). The cryptography engineering expert doing the analysis will be Matthew Green, PhD, a cryptographer, computer science professor, and researcher at Johns Hopkins University and also one of the founders of the Open Crypto Audit Project, which organized the analysis of TrueCrypt. The findings will be compared with the final release and reported to the developers of OpenVPN prior to releasing the results to the public.

Announcement by PIA, 7’th December 2016: Private Internet Access funds OpenVPN 2.4 audit by noted cryptographer Dr. Matthew Green

Other articles reporting on it, 8’th December 2016: http://www.networkworld.com/article/3148314/security/openvpn-will-be-audited-for-security-flaws.html
OpenVPN to Undergo Cryptographic Audit | Threatpost
Cryptography Expert Matthew Green to Audit OpenVPN Security

None of the articles mentions anything about dates or deadlines, however since mentioning the upcoming stable release, it is reasonable to think it will be done around that time. Earlier stable releases have come out in 2006, 2010, 2011 and 2013.
https://openvpn.net/index.php/open-source/downloads/471-old-releases.html

5 Likes

I'd rather they take their time on an Audit.

That is an interesting question, how many man-hours (assuming the auditor(s) is competent) is actually needed to properly audit a piece of software like OpenVPN!? I'd assume it's much the same as Truecrypt, but with the added complexity of being a piece of online communication software, however I do not have sufficient knowledge to grasp the level of complexity at hand here, or the differences between kinds of software.

Telegram was recently audited and it took about a month I believe... Although they only audited sections of the software on the recommendation of the team there. So it should take a couple months for this audit in my opinion

It's hard to know when they plan on releasing 2.4, I guess it could be they would actually wait for the audit. Seeing as version 2.3 got two revisions (rc1 & rc2) after coming out of beta, you could be right that 2.4 stable is right around the corner.

1 Like