[anti-censorship-team] Results of Turbo Tunnel security audit that affect Snowflake

David Fifield david at bamsoftware.com
Sat Apr 24 17:36:03 UTC 2021

There was recently a security audit of Turbo Tunnel software artifacts,
including dnstt and Snowflake. I posted the report on the dnstt page:

The report finds three issues that have to do with Snowflake, rated from
Informational to Low.

UCB-02-001: Memory leak in Handler() routine of Snowflake client library (Low)
UCB-02-008: Lack of rate limiting in Snowflake and dnstt (Info)
UCB-02-009: Brokers and proxies are not authenticated (Low)

For UCB-02-001, I have already opened

UCB-02-008 is not a vulnerability, but only a suggestion that
rate-limiting interactions may help mitigate certain kinds of
resource-exhaustion attacks. Some related tickets are:
  "Broker needs better resilience against DoS"
  "Make it more expensive (CPU wise, or other thing) to make the initial
    connection to a snowflake"

UCB-02-009 is something we have already discussed in the team across
various issues. I don't know if we can meaningfully authenticate
proxies, but the broker's messages ought to be signed and encrypted.
  "End-to-end confidentiality for Snowflake client registrations"
  "Authentication for proxy--bridge connections"

More information about the anti-censorship-team mailing list