The audit found six vulnerabilities and highlighted eleven hardening recommendations. All findings have been reviewed by the Tor Project, and remediation work is being tracked as part of our ongoing security and maintenance processes.
For detailed findings and recommendations, please see the complete audit report here.
41 pages! At first glance, the audit report shows impressive range by scientists at 7a.[1]
A curious highlight for me was the recommendation the Tor project not store secrets in code! I’m sure it was nothing serious (:
I happened upon a couple Cure53 audit reports in as many days, and those read like marketing material, in comparison. That isn’t to say researchers at Cure53 are push overs, just that the style of the report is super different. I looked for and found that a few in the Security field feel this, too. Ex: “Notice also that the end of the Cure53 report complains about the project scope and the amount of time given. This is pretty unusual for Cure53, who have a reputation for being a bit effusive about the products they’re paid to review. I’m not sure I’ve ever seen them throw shade before.” From the Cure53 report: the version tested had a terrible vulnerability (unfortu... | Hacker News ↩︎
TOR-02-010 WP2: Multiple Vulnerable Dependencies
I didn’t know about Margot, but this is a little surprising to me. I know in the Arti repo cargo-audit is already in use in CI, and I’ve been trying to help push forward adopting cargo-vet (though there’s only so much I can do as an external contributor, obviously).
Maybe when I get home I can bother the Margot repo with a MR. Though it will probably have been handled by then.