OpenVPN 2.4 Audit Moving Forward

Private Internet Access, which is a VPN provider, announced this week that it is going to fund an audit of OpenVPN 2.4. The audit will be led by Dr. Matthew Green, assistant professor at the John Hopkins Information Security institute. According to PIA’s announcement,

Private Internet Access has contracted Dr. Green as an independent consultant to do a comprehensive evaluation of the version of OpenVPN that is currently available on GitHub and search for security vulnerabilities. Once OpenVPN 2.4 is out of beta and released, the final version will be compared and evaluated to complete the security audit.

The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect. Instead of going for a crowdfunded approach, Private Internet Access has elected to fund the entirety of the OpenVPN 2.4 audit ourselves because of the integral nature of OpenVPN to both the privacy community as a whole and our own company.

Once the independent audit is completed, Private Internet Access will share the final report with OpenVPN prior to releasing the results to the public. Furthermore, we will work with OpenVPN to ensure that any discovered vulnerabilities are fixed before publishing.

This is excellent news. Nice to see a company that relies on these open Internet systems to put some money up to ensure their users are secure.


A lot of the coverage of Bitcoin makes absurd claim that Bitcoin transactions are anonymous, even though the Bitcoin Foundation itself makes clear that there is little privacy in Bitcoin,

Some effort is required to protect your privacy with Bitcoin. All Bitcoin transactions are stored publicly and permanently on the network, which means anyone can see the balance and transactions of any Bitcoin address. However, the identity of the user behind an address remains unknown until information is revealed during a purchase or in other circumstances.

Zerocoin is an effort to add anonymity to Bitcoin at the protocol level in order to create a truly anonymous ecash solution,

  • Zerocoin operates in the Bitcoin network and is implemented as a series of extensions to the existing Bitcoin protocol. This approach means that Zerocoin can be deployed without relying on a central coin issuer or bank (as used in previous e-cash schemes). Moreover, since no single trusted party operates the Zerocoin system, attacks on Zerocoin must take on a substantial fraction of the Bitcoin network.
  • Zerocoin uses provably secure cryptographic techniques to ensure that Bitcoins cannot be traced. These techniques allow users to conduct transactions on the Bitcoin network while receiving strong mathematical guarantees that the transactions cannot be traced. These guarantees remain in place even if a portion of the Bitcoin network is compromised by an attacker.
  • Other anonymous cash systems rely on distributing the work of anonymizing users amongst a set of parties. This approach works well if all parties are fully available but can be subject to “denial of service” attacks where a small number of nodes are taken offline. Because Zerocoin is built on top of Bitcoin, it is widely distributed among all the Bitcoin peers, ensuring that the system can remain available even when many nodes are compromised.

Matthew Green of John Hopkins University and one of the creators of Zerocoin gave a presentation at Microsoft in 2013 outlining how Bitcoin users can be easily be de-anonymized and how Zerocoin would provide anonymity for crypto-currency users.