[liberationtech] "uVirtus Linux, encrypted OS for Syria": a security review
KheOps
kheops at ceops.eu
Thu Feb 6 14:18:07 PST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear all,
The uVirtus live distribution was publicized back in September as a
secure live OS specifically designed for Syrians. It stems from the idea
of having a one-click easy to use VPN client that uses OpenVPN over
Obfsproxy.
After testing it and discovering a few issues, I spent some more time in
order to dig a bit more into its security.
I noticed numerous worrying security issues, and in overall it does not
appear to me as really responsible to recommend it instead of, say,
Tails. Issues include for instance holes that may help an attacker
compromise the user's machine by gaining root access and weak protection
against data leaking in cleartext out of the VPN.
I published a report that lists all the issues I could find and tried to
assess their seriousness. I hope it is detailed and precise enough.
It is available here in English:
https://press.telecomix.ceops.eu/en/posts/Review_of_security_issues_in_uVirtus_2.0/
And in Arabic (sorry for the long link):
https://press.telecomix.ceops.eu/ar/posts/%D9%85%D8%B1%D8%A7%D8%AC%D8%B9%D8%A9_%D9%84%D9%82%D8%B6%D8%A7%D9%8A%D8%A7_%D9%86%D8%B8%D8%A7%D9%85_uvirtus_2.0_%D8%A7%D9%84%D8%A3%D9%85%D9%86%D9%8A%D8%A9/
We should thank Ameer, a Telecomix friend who spent a lot of time on
translating it, but also giving me hints and correcting some English
mistakes.
We hope this helps to better assess uVirtus security and maybe feed the
thinking for possible future versions.
Sorry for the TLS certificate warning you will probably get in your
browser, it is signed with the CA you'll find there:
https://github.com/TelecomixSyria/TheSouq/tree/master/resources/ssl-ca/2012-2014
and its SHA1 fingerprint is
C2:00:C7:9B:2C:9F:88:31:8B:A9:9E:B4:37:27:4E:93:75:8A:A7:6B.
With datalove!
KheOps
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJS9AoeAAoJEK9g/8GX/m3dpRkH/1rN/nDEjY2kJqhEMqaIwkiq
PqJzXxhvSuMTYn9WXcA5kh9xH+OCBu2uSfTfm9ewfAO8W4C4Jx5AO8jgyo3bjFEP
usJE8m7vaKZVnVUrzqyxMBuutxyljear+qn6r86i5FRbIoob582QAZM7+bunotOr
bc5oUBgaq+KHx0p6yxohQw07MLaDwzXviu0lFcsRqMRfGzAMWFx3y8pGLUwS1Tiz
S3jR+Vs+s80NBHmMhPK3HkB2qsMowC8tZlYaMLzuFqocoKsTyE3CCMz9R6Xw05HT
aR5pSsbVuEvgMyhlqCJoVD8YD4qde8E5hxZrONZk4GKTIPDc90bgGW8FH/zmPqI=
=h+MA
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list