In January 2020, the project was audited by Cure53.
Cure53 was chosen because they have proven to both excell as auditors as well as being committed to building a more open and better Internet - I mean, just have a look at their publications!
They found 5 issues:
Secure key deletion ineffective (Medium Severity)
Golang does not yet provide a secure way of handling key material. The is no clean fix, we were advised to wait. Documentation has been updated to reflect this.
See Github issue for details.
Password KDF vulnerable to GPU/ASIC attacks (Medium Severity)
PBKDF2 is vulnarable to GPU/ASIC attacks, was replaced with scrypt with a much higher security margin (rounds).
Secure channel protocol weaknesses (High Severity)
Verification of the protocol with Verifpal revealed that in addition to one expected weakness, there is another. The found weakness should actually have been expected, because it is a limitation of the protocol. The main use case of the protocol, securing SPN connections, is not impacted. Documentation was updated.
Key management/encryption with 1-byte key (Critical Severity)
This was just a devops error. We forgot to replace a "FIXME" comment with a function call.
Unnecessary configurability considered dangerous (Medium Severity)
This was somewhat expected. We did not yet know how to best expose the configurability to users. We were advised: NOT. We implemented changes and introduced cipher suites that specify a fixed sets of algorithms and security guarantees.
In the first Audit by Cure53, one of the auditors, Nadim Kobeissi, used his software Verifpal for an automated formal verficiation of the wire protocol. This was quite an amazing thing, as we wrote the model definition in the kickoff meeting. Verifpal then combed through the model to check if it really holds up to its promises. You can find the model here.