VeraCode Report - 2langnic/GlobaLeaks GitHub Wiki

Tor2web has received a first source code audit conducted by VeraCode. The audit has been done in Q3 2013 and was sponsored by the Open Technology Fund (RFA). The penetration test yielded an overall of 11 issues along with several additional design and implementation suggestions.

The complete report is available for download Here

A few security issues has been identified and fixed.

The open issue will be fixed when a major sprint of development and re-factoring of Tor2web will be organized.

In the following we list all issues with their status and reference to GitHub commits if available.

Fixed issues

• Version Information Leakage
• TLS Compression is enabled

Open issues

• Protection Mechanism Failure on Warning Banner Escapeable

The GlobaLeaks team would like to thank VeraCode for the audit and Open Technology Fund for sponsoring this event.