At Least Authority, our mission is to bring verifiable end-to-end security to everyone. As a part of this mission, we provide security consulting services to free and open-source software projects. We also run a verifiably-secure cloud backup system, S4.
In the past, we’ve performed successful security audits of SpiderOak’s Crypton project and of Cryptocat. Continuing this series of security audits, we’ve completed an audit of the GlobaLeaks whistleblowing framework.
This audit was funded by the Open Technology Fund (OTF). Regular security audits are an important part of the development of any software, and free and open source internet freedom software is certainly no exception. We applaud OTF for funding these highly beneficial audits.
Protecting whistleblowers is no easy task, especially since they may be up against powerful adversaries (governments, corporations, and criminal organisations) and the consequences of getting caught may be grave. It’s unlikely that a single technical solution to this problem exists. To keep whistleblowers safe, any technical solution needs to be paired with OPSEC education.
One of the things we liked about the GlobaLeaks project is that it has OPSEC education and checks built right in to the user interface.
We identified several security issues in the GlobaLeaks software. You can read about each issue in the audit report. The issues have been addressed by the GlobaLeaks team in the latest stable version.
The full audit report: Report of Security Audit of GlobaLeaks.
The GlobaLeaks wiki page: LeastAuthority Report.
Tickets in the GlobaLeaks bug tracker for each of the issues we identified.