[anti-censorship-team] Results of Turbo Tunnel security audit that affect Snowflake
david at bamsoftware.com
Sat Apr 24 17:36:03 UTC 2021
There was recently a security audit of Turbo Tunnel software artifacts,
including dnstt and Snowflake. I posted the report on the dnstt page:
The report finds three issues that have to do with Snowflake, rated from
Informational to Low.
UCB-02-001: Memory leak in Handler() routine of Snowflake client library (Low)
UCB-02-008: Lack of rate limiting in Snowflake and dnstt (Info)
UCB-02-009: Brokers and proxies are not authenticated (Low)
For UCB-02-001, I have already opened
UCB-02-008 is not a vulnerability, but only a suggestion that
rate-limiting interactions may help mitigate certain kinds of
resource-exhaustion attacks. Some related tickets are:
"Broker needs better resilience against DoS"
"Make it more expensive (CPU wise, or other thing) to make the initial
connection to a snowflake"
UCB-02-009 is something we have already discussed in the team across
various issues. I don't know if we can meaningfully authenticate
proxies, but the broker's messages ought to be signed and encrypted.
"End-to-end confidentiality for Snowflake client registrations"
"Authentication for proxy--bridge connections"
More information about the anti-censorship-team