-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all,
The uVirtus live distribution was publicized back in September as a secure live OS specifically designed for Syrians. It stems from the idea of having a one-click easy to use VPN client that uses OpenVPN over Obfsproxy. After testing it and discovering a few issues, I spent some more time in order to dig a bit more into its security. I noticed numerous worrying security issues, and in overall it does not appear to me as really responsible to recommend it instead of, say, Tails. Issues include for instance holes that may help an attacker compromise the user's machine by gaining root access and weak protection against data leaking in cleartext out of the VPN. I published a report that lists all the issues I could find and tried to assess their seriousness. I hope it is detailed and precise enough. It is available here in English: https://press.telecomix.ceops.eu/en/posts/Review_of_security_issues_in_uVirtus_2.0/ And in Arabic (sorry for the long link): https://press.telecomix.ceops.eu/ar/posts/%D9%85%D8%B1%D8%A7%D8%AC%D8%B9%D8%A9_%D9%84%D9%82%D8%B6%D8%A7%D9%8A%D8%A7_%D9%86%D8%B8%D8%A7%D9%85_uvirtus_2.0_%D8%A7%D9%84%D8%A3%D9%85%D9%86%D9%8A%D8%A9/ We should thank Ameer, a Telecomix friend who spent a lot of time on translating it, but also giving me hints and correcting some English mistakes. We hope this helps to better assess uVirtus security and maybe feed the thinking for possible future versions. Sorry for the TLS certificate warning you will probably get in your browser, it is signed with the CA you'll find there: https://github.com/TelecomixSyria/TheSouq/tree/master/resources/ssl-ca/2012-2014 and its SHA1 fingerprint is C2:00:C7:9B:2C:9F:88:31:8B:A9:9E:B4:37:27:4E:93:75:8A:A7:6B. With datalove! KheOps -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJS9AoeAAoJEK9g/8GX/m3dpRkH/1rN/nDEjY2kJqhEMqaIwkiq PqJzXxhvSuMTYn9WXcA5kh9xH+OCBu2uSfTfm9ewfAO8W4C4Jx5AO8jgyo3bjFEP usJE8m7vaKZVnVUrzqyxMBuutxyljear+qn6r86i5FRbIoob582QAZM7+bunotOr bc5oUBgaq+KHx0p6yxohQw07MLaDwzXviu0lFcsRqMRfGzAMWFx3y8pGLUwS1Tiz S3jR+Vs+s80NBHmMhPK3HkB2qsMowC8tZlYaMLzuFqocoKsTyE3CCMz9R6Xw05HT aR5pSsbVuEvgMyhlqCJoVD8YD4qde8E5hxZrONZk4GKTIPDc90bgGW8FH/zmPqI= =h+MA -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
