Security audit of Turbo Tunnel programs (dnstt and Snowflake)

[wkrp]

There was recently a security audit done by Cure53 of software related to developing the Turbo Tunnel design. We have previously discussed Turbo Tunnel on this forum at #9. In scope for the audit were dnstt (an encrypted DNS tunnel, previous discussion at #30) and the Turbo Tunnel–related parts of Snowflake (WebRTC-based peer-to-peer proxy, previous Turbo Tunnel discussion at #35).

Report PDF

The report lists 9 items total, ranging in severity from Informational to Medium: 6 in dnstt, 2 in Snowflake, and 1 informational item affecting both.

Summary of items affecting dnstt

5 of the 6 items affecting dnstt are fixed in v0.20210424.0. The remaining item has to do with protocol layering, and to address it would require backward-incompatible changes and a possible reduction in efficiency. I wrote a summary of the considerations.

Summary of items affecting Snowflake

One of the Snowflake items is a resource leak that has had an issue created. The other is about better security for broker messages, which the team knows about and has discussed in the past.