-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Least Authority audit of Ooni =============================

Least Authority has concluded the first of two phases of an audit of Ooni, at the behest of Radio Free Asia. In this first phase we've helped to develop and integrate a Threat Model into the specification of Ooni.

The fruit of our labor is primarily in the Threat Model-related wiki pages which are all linked from this page:

https://github.com/TheTorProject/ooni-probe/wiki/Threat-Model

There are two linked pages which are of value to both the general specification of Ooni as well as security analyses: the definition of Roles, and the specification of Use Cases.

There are three additional pages which are primarily of value for security analyses: Threats, Impacts, and Disclosure.

The current Threat Model would be complemented by incorporating the architectural specifications, and by incorporating the Threat Model into those specifications. This is part of the goal for the next phase.

Phase Two Plan --------------

The second phase of this audit will focus on analyzing the implementation and smaller scale design choices. During this phase, Least Authority intends to review the code in tandem with the architectural specification documents, and while doing so, crosslinking Threat Model documentation to the architectural documentation.

There will be four tangible results from this second phase, produced by Least Authority:

* Improved integration between the architectural specification and the Threat Model. * Outstanding unresolved issues from the above integration, embodied as Github issues. * Bug and vulnerability findings, embodied as either Github issues or encrypted email, depending on their severity and evaluated risk to real or potential users. * A coverage log, where Least Authority documents each code component which was reviewed, along with any notes, whether or not those notes developed into bug or vulnerability findings.

Schedule ~~~~~~~~

The tentative schedule for the next phase will be September 9th through the 20th, a two week period.

Contract ~~~~~~~~

This report represents the first deliverable for the first of two tasks in the contract between Least Authority and RFA, which includes interviews and documentation. Additionally a fair amount of our effort has involved design review and specification, which applies to the second task focused on design review, code audit, and testing.

Least Authority has invoiced RFA for a total of 118 hours out of 160 specified on the contract. This leaves 42 hours for the next phase, of which we anticipate 2-6 will be used to write the final deliverable and the remaining hours will be devoted to code review, architecture analysis, updating documents, and filing tickets.

Conclusion Process ------------------

After the contractual agreement is complete for this audit of Ooni, Least Authority intends to follow up with short informal interviews from both RFA, Ooni, and M-Lab team members to solicit feedback on our work.

If anyone has specific feedback at any time, feel free to contact any of us.

We will also be available to answer any questions, and will continue to participate to some degree in the IRC channel, mailing list, and issue tickets.

Future Work ===========

As technology evolves, so does the need for security analyses. Our goal is to produce useful results for Ooni, which includes making those results easily accessible for future security auditors.

We recommend that the Ooni project solicit other security reviews (from a variety of analysts) at each major release, or at some regular schedule which integrates into their development schedule.

Contact =======

These are the contacts for project coordination issues between the organizations:

Nathan Wilcox - Least Authority nathan@leastauthority.com

Liz Pruszko Steininger - RFA steiningerl@rfa.org

Tom Lowenthal - Ooni / Tor me@tomlowenthal.com

Meredith Whittaker - M-Lab meredithrachel@google.com