[ooni-dev] Least Authority Audit of Ooni: status and plan

Nathan Wilcox nathan at leastauthority.com
Fri Aug 2 23:35:07 UTC 2013

Hash: SHA1

Least Authority audit of Ooni

Least Authority has concluded the first of two phases of an audit of Ooni,
at the behest of Radio Free Asia. In this first phase we've helped to
develop and integrate a Threat Model into the specification of Ooni.

The fruit of our labor is primarily in the Threat Model-related wiki
pages which are all linked from this page:


There are two linked pages which are of value to both the general
specification of Ooni as well as security analyses: the definition of
Roles, and the specification of Use Cases.

There are three additional pages which are primarily of value for security
analyses: Threats, Impacts, and Disclosure.

The current Threat Model would be complemented by incorporating the
architectural specifications, and by incorporating the Threat Model into
those specifications.  This is part of the goal for the next phase.

Phase Two Plan

The second phase of this audit will focus on analyzing the implementation
and smaller scale design choices.  During this phase, Least Authority
intends to review the code in tandem with the architectural specification
documents, and while doing so, crosslinking Threat Model documentation
to the architectural documentation.

There will be four tangible results from this second phase, produced
by Least Authority:

* Improved integration between the architectural specification and the
  Threat Model.
* Outstanding unresolved issues from the above integration, embodied as
  Github issues.
* Bug and vulnerability findings, embodied as either Github issues or
  encrypted email, depending on their severity and evaluated risk to
  real or potential users.
* A coverage log, where Least Authority documents each code component
  which was reviewed, along with any notes, whether or not those notes
  developed into bug or vulnerability findings.


The tentative schedule for the next phase will be September 9th through
the 20th, a two week period.


This report represents the first deliverable for the first of two tasks
in the contract between Least Authority and RFA, which includes interviews
and documentation.  Additionally a fair amount of our effort has involved
design review and specification, which applies to the second task focused
on design review, code audit, and testing.

Least Authority has invoiced RFA for a total of 118 hours out of 160
specified on the contract.  This leaves 42 hours for the next phase,
of which we anticipate 2-6 will be used to write the final deliverable
and the remaining hours will be devoted to code review, architecture
analysis, updating documents, and filing tickets.

Conclusion Process

After the contractual agreement is complete for this audit of Ooni,
Least Authority intends to follow up with short informal interviews from
both RFA, Ooni, and M-Lab team members to solicit feedback on our work.

If anyone has specific feedback at any time, feel free to contact any
of us.

We will also be available to answer any questions, and will continue
to participate to some degree in the IRC channel, mailing list, and
issue tickets.

Future Work

As technology evolves, so does the need for security analyses.  Our goal
is to produce useful results for Ooni, which includes making those
results easily accessible for future security auditors.

We recommend that the Ooni project solicit other security reviews (from
a variety of analysts) at each major release, or at some regular schedule
which integrates into their development schedule.


These are the contacts for project coordination issues between the

Nathan Wilcox - Least Authority
nathan at leastauthority.com

Liz Pruszko Steininger - RFA
steiningerl at rfa.org

Tom Lowenthal - Ooni / Tor
me at tomlowenthal.com

Meredith Whittaker - M-Lab
meredithrachel at google.com

Version: OpenPGP.js v.1.20130420
Comment: http://openpgpjs.org


More information about the ooni-dev mailing list