Good news from security audits, past and present

March 27, 2023 by missytake, holga

In case you wonder how safe Delta Chat’s core messaging implementation and server guides are, you may be interested in the summary statement from the recent independent security audit by Cure53:

… a positive impression following the completion of this review, particularly relating to strong SSL/TLS encryption, the mail server, and client library, which have all made excellent progress toward offering a first-rate framework from a security perspective.

We also took the opportunity to publish FAQ entries (finally!) about two security audits in 2019 and 2020 by Include Security, covering in particular the pure Rust PGP implementation, our lean and mean engine for Autocrypt and CounterMITM End-to-End encryption protocols. Here, we are in the lucky situation that one of our core contributors is of the rare kind who can implement cryptographic algorithms and get the result to pass security audits, with one key implementation part moved into the RustCrypto/RSA community repository. We’ve said it before that Rust is not only an excellent language to code networking and cryptographic implementations in but also allows for safe and large-scale development collaboration, raising the quality for everyone and for what we can offer through Delta Chat apps.

Latest audit was about secure networking and “serverguide” security

The main focus of the latest Cure53 security audit were the network libraries used to connect to mail servers, typically using TLS transport encryption. While Delta Chat runs on various platforms from Android over Windows, iOS, MacOS, and Linux, the encryption implementations of these platforms can be very different. We wanted to know if our TLS network setup and handling is safe on all platforms.

The second big audit focus was about our mail server setup guide which allows to setup and use mailcow as a mail server, and run mailadm to automate account management for Delta Chat users. The mailadm tool was written by Delta Chat contributors while mailcow is maintained by a collaborating company, Tinc GmbH in Germany. With this second audit focus, we wanted to know if hobbyist sysadmins can successfully setup safe mail server infrastructure when following our guide.

Eight detected issues

Auditors from Cure53 found eight issues in total:

We’d like to thank Cure53 and IncludeSecurity for the overall excellent collaboration and communication!

Show Comments

You can reply on any Fediverse (Mastodon, Pleroma, etc.) website or app by pasting this URL into the search field of your client: