eduVPN philosophy: less code means a more secure service

In 2014, eduVPN started as a small project to provide students and employees with a reliable VPN solution that integrates with federated authentication. Currently more than 100 organizations worldwide use eduVPN. An important event in 2014 greatly influenced the development of eduVPN, and led us to embrace an important principle: less code means a more secure service.

Vulnerability in OpenSSL

So what happened in 2014? Then a serious vulnerability was discovered in OpenSSL, a widely used library for establishing secure connections. OpenSSL is used, among other things, on web servers, but also for VPN products. After analysis, it turned out that the software was too complex. Erik Poll, Associate Professor at Radboud University’s Digital Security Group, advises that when software has to be secure, complexity should be limited. This makes clearer software that can be better pen tested and audited.

Complexity bad for security

In his lectures Erik Poll has been saying for years that complexity is bad for security. One of the first scientific papers he often cites is that of Gary McGraw (2004): “With software’s ever-expanding complexity and extensibility adding further fuel to the fire. By any measure, security holes in software are common, and the problem is growing.”

In the classic article “The protection of information in computer systems” van Slatzer & Schroeder uit 1975 (!) they mention several design principles for security, including “Economy of mechanism. Keep the design as simple and small as possible.”

KISS

However, such views are much older. One of the oldest and best known engineering principles is KISS: Keep it Simple, Stupid. The US Navy already used this principle in 1960. They already knew that systems work better if they are kept simple. This applies in a broad sense to systems, including software and security.

Complexity also scores high in OWASP Top 10

Another indication that complexity has a negative impact on security is shown by the fact that Security Misconfiguration is in the OWASP Top 10. The OWASP is a list of the most common security vulnerabilities in web applications. There are also indications for other points in the OWASP Top 10 that complexity plays a negative role. For example, with Injection Attacks, Identification and Authentication Failures or Broken Access Control, complexity will often be a factor. For example: an XSS attack, which falls under Injection Attacks, proves difficult to eradicate because web applications are horribly complex due to all the DOM APIs & JavaScript frameworks.

Therefore: software architecture eduVPN as simple as possible

With this knowledge in mind, we have developed eduVN. This is reflected in the software architecture of the eduVPN server. Over the years, it has only become smaller in terms of code, in contrast to an average software package that only expands. We try to keep the functionality of the product limited in accordance with our ‘less is more’ philosophy. For example, we regularly perform (source code) audits on the server and client software, especially in the event of major changes to the source code. eduVPN customers can view these audit reports. In addition, we use a vulnerability scanner to check whether the service is properly set up in practice.

Open source and public values

Furthermore, the premise of eduVPN was that all resources, such as software, documentation and images, had to be available under an open source license. Not only for (international) education and research, but also beyond. Think, for example, of Internet Service Providers (ISP), government, companies and SMEs. This was reinforced by the fact that the SIDN fund supported software development with the aim of realizing good and reliable VPN software that everyone can use. This open approach ensures that organizations have control themselves without being dependent on big tech and thus strengthen their digital autonomy. This is in contrast to VPN solutions from commercial parties, where you do not have access to the (often far too complex) technology and documentation such as audits. This ensures that there is a strong dependence, for example the commercial provider is the only party that can make and release bugs and/or security fixes.

“In general you can say that closed source mainly benefits the producer of the software and that open source benefits the buyers.”
Quote from professor Bart Jacobs Radboud University
Reference in Dutch

For the implementation of VPN technology, we opted for OpenVPN in 2014. This is the only product we had enough confidence in, especially because it is the only VPN product that has been internationally audited by security professionals, researchers and governments. Nowadays WireGuard is the new kid on the block in which we are investing to support in future. We will cover WireGuard support in a future blog post.

Writing code is deleting

Because we apply this principle, thousands of people in education and research have been using eduVPN for years without any problems. We will of course continue to apply this principle in our product development, because the world in 2022 shows that as an organization you can never rest on your laurels when it comes to safety. The same applies when writing code: writing is deleting!”

Via eduVPN, employees and students can securely connect to their institution’s network from home. This gives them secure access to protected internal applications such as scientific articles, financial systems, student information systems, license servers and file servers. eduVPN is the open source VPN solution for education and research. More than 100 organizations worldwide already use this service.

This blog was originally posted in Dutch here

Tags2022