Code audit for censorship circumvention tools completed by Cure53

by gaba | April 10, 2024

Since 2021, the Tor Project has been working on a project entitled "Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibet", which aimed at improving the use of Tor in the China region. We had the following goals for this project:

  • Implement new pluggable transports and add more bridges that are harder for censors to block. 

  • Improve the bridge distribution systems so that it's harder for censors to learn and block bridges, while making it easier for users to get them.

  • Update a diverse set of proven open source circumvention applications so they are compatible with new bridges and censorship resistance/detection techniques.

  • Surge adoption through the deployment of region-specific localization, outreach, and distribution efforts for target users.

This project allowed us to release:

  • Webtunnel, a new pluggable transport designed to mimic encrypted traffic. 

  • Lox, a privacy preserving reputation-based bridge distribution system that is being integrated into Tor Browser.

  • RDSys, a new distribution system for bridges that is replacing BridgeDB

  • A new feature in Tor Browser, called Connection Assist, that makes censorship circumvention easier for users. 

  • OnionShare, a secure and anonymous productivity and privacy suite built on Tor allowing users to share files, host websites, and chat with friends, available for desktop and mobile devices.

  • Improvements on OnionShare for Desktop

In January 2024 we contracted Cure53 to audit all the code that was changed or created during this project. The security audit helps uncover vulnerabilities produced through these changes in the software. We are happy to report that all the vulnerabilities that were uncovered have already been mitigated.

For more details and information please access the complete audit report.

We would like to thank Cure53 for an excellent and professional audit, as well as the U.S. State Department Bureau of Democracy, Human Rights, and Labor (DRL) for sponsoring this project.


We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the moderators. Please do not comment as a way to receive support or to report bugs on a post unrelated to a release. If you are looking for support, please see our FAQ, user support forum or ways to get in touch with us.