About INVISV masque

Internet privacy and circumvention technologies often depend upon tunneling protocols to avoid traffic from being blocked or altered. However, these protocols often use non-standard transport methods that make traffic identifiable. This makes it difficult to achieve wide-scale, censor-resistant deployments of privacy and circumvention tools using large-scale cloud infrastructure.

MASQUE (Multiplexed Application Substrate over QUIC Encryption) is an IETF standard that enables tunneling of TCP/UDP traffic through web servers and services using HTTPS—so traffic sent via a masque tunnel, from the network’s standpoint, will appear to be HTTPS traffic. This allows ordinary web server stacks to reuse many of their existing mechanisms for security (TLS), connection handling, load balancing, and more. 

INVISV masque, an implementation of the IETF MASQUE protocol, enables more secure transport of data across different network protocols, using “tunneling” to obscure the nature of the data traffic.


Audit Description

OTF’s Security Lab partner Atredis Partners performed a “whitebox “audit (a form of testing in which auditors have complete knowledge of the item being tested) of INVISV masque during June and July 2024. This included penetration testing, code review, and the use of packet flow analysis and packet capture tools to observe network traffic.

Scope

The security assessment and source code analysis covered the implementation of the masque tunneling protocol, the client library written in Go, and the client-side functionality needed for running a multi-party relay service.

Findings

Auditors found that INVISV masque’s codebase is generally robust, with no “directly or indirectly exploitable conditions” noted and no “critical” or “high” severity risks detected. The report includes three issues categorized as “low” severity and three flagged as “informational.”

Low-Severity Issues:

  • Unhandled Error: For some Go functions, errors were not handled when they were encountered. The audit report states that while errors are unlikely for those functions, it is best practice to check the function’s return values and handle errors accordingly.
  • Vulnerable Dependencies: Code analysis revealed that the go.mod file had dependencies on known vulnerabilities. The auditors recommended updating dependencies wherever possible to incorporate the most recent versions.
  • Use of Deprecated Function: The audit found that the DialTLS function was in use for creating server connections. DialTLS is a deprecated function in Go and the auditors recommended updating to the DialTLSContext transport field.

The three “informational” issues reported included logical expressions that are always true and the use of reserved words and package names as variables. Auditors note that none of these issues constitute a potential for direct compromise.

Remediation

Retests conducted by the auditors confirmed that five out of six total issues flagged have been fully remediated. Regarding the sixth issue of vulnerable dependencies, the auditors found that two of the three dependencies were fixed and the third did not appear to be exposed in the source code.


Full Report

Code