Skip to content

Code audit for Sponsor 96

Cure53 is auditing code changed in the project "Sponsor 96". This ticket will help me track their work and questions. Communication with them is happening via Signal.

  • Cure53 audit the code changed on sponsor 96's project.
  • We make a mitigation plan for all vulnerabilities in the report.
  • Mitigation plan is sent to DRL.
  • Once all issues are fixed we will publish the report in a blogpost.

Code being audited

WP1: Crystal-box pen.-tests & code audits against Censorship Circumvention tools & libs <-- Starts Jan 22nd
WP2: Crystal-box pen.-tests & code audits against changes in Tor browser for desktop <-- Starts Jan 29th
WP3: Crystal-box pen.-tests & code audits against changes in Tor browser for Android <-- Starts Jan 29th
WP4: Crystal-box pen.-tests & code audits against changes in OnionShare for desktop <-- Starts Jan 22nd

Source they have for working on it:

○ Snowflake: pluggable transports that uses webrtc and it is integrated into Tor Browser to circumvent censorship■ Sources: ● https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflakehttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext

○ Webtunnel: pluggable transport based on HTTPT ■ Sources:https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel ○ RDSys ■ Sources: https://gitlab.torproject.org/tpo/anti-censorship/rdsys

○ Lox: new bridges distribution system. The final code to audit will be ready in January. ■ Sources: https://gitlab.torproject.org/tpo/anti-censorship/lox-rs

○ Bridgstrap ■ Sources: https://gitlab.torproject.org/tpo/anti-censorship/bridgestrap

○ OnionSprout ■ Sources: https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot

● Tor Browser for Desktop. The development will be finished in January 2024. We only need to audit the changes that happened in this project that are the following: ○ Changes to integrate Lox ○ Changes to integrate Webtunnel ○ Changes to integrate Snowflake ○ Sources: https://gitlab.torproject.org/tpo/applications/tor-browser <--- WE WILL GIVE THEM THE SOURCE FOR INTEGRATIONS NEXT WEEK BEFORE WP2 AND WP3 STARTS.

● Tor Browser for Android. We only need to audit the changes that happened in this project. The development will be finished in January 2024. ○ The main change is the inclusion of the feature “Connect Assist” ○ Sources: https://gitlab.torproject.org/tpo/applications/firefox-android

● OnionShare for Desktop ○ Sources: https://github.com/onionshare/onionshare○ All the issues that were resolved in this project are in https://github.com/onionshare/onionshare/issues?q=is%3Aissue+label%3Acensorship+is%3Aclosed

cc @micah @bella

Edited by pavel
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information