In Focus Magazine Security Trust and identity

eduVPN philosophy: less code means a more secure service

In 2014, eduVPN started as a small project to provide students and employees with a reliable VPN solution that integrates with federated authentication. Currently more than 100 organisations worldwide use eduVPN. An important event in 2014 greatly influenced the development of eduVPN and led us to embrace an important principle: less code means a more secure service.

Words: Rogier Spoor, SURF

So, what happened in 2014? At that time a serious vulnerability was discovered in OpenSSL, a widely used library for establishing secure connections. OpenSSL is used, among other things, on web servers, but also for VPN products. After analysis, it turned out that the software was too complex. Erik Poll, Associate Professor at Radboud University’s Digital Security Group, advises that when software has to be secure, complexity should be limited. This produces clearer software that can be better penetration tested and audited.

Complexity = bad for security

In his lectures Erik Poll has been saying for years that complexity is bad for security. One of the first scientific papers he often cites is that of Gary McGraw (2004):

“With software’s ever-expanding complexity and extensibility adding further fuel to the fire, by any measure, security holes in software are common, and the problem is growing.”

In the classic article, “The protection of information in computer systems”, by van Slatzer & Schroeder uit 1975 (!) they mention several design principles for security, including “Economy of mechanism. Keep the design as simple and small as possible.”

KISS – Keep It Simple Stupid

However, such views are much older. One of the oldest and best-known engineering principles is KISS: Keep it Simple, Stupid. The US Navy already used this principle in 1960. They already knew that systems work better if they are kept simple. This applies in a broad sense to systems, but particularly including software and security.

Therefore: Keep eduVPN as simple as possible

With this in mind, we have developed eduVPN. This is reflected in the software architecture of the eduVPN server. Over the years, it has only become smaller in terms of code, in contrast to an average software package that only expands. We try to keep the functionality of the product limited in accordance with our ‘less is more’ philosophy. For example, we regularly perform (source code) audits on the server and client software, especially in the event of major changes to the source code. eduVPN customers can view these audit reports. In addition, we use a vulnerability scanner to check whether the service is properly set up in practice.

Open source and public values

Furthermore, the premise of eduVPN was that all resources, such as software, documentation and images, had to be available under an open-source license. Not only for (international) education and research, but also beyond. Think, for example, of Internet Service Providers (ISP), government, companies and SMEs. This was reinforced by the fact that the SIDN fund supported software development with the aim of realising good and reliable VPN software that everyone can use.

This open approach ensures that organisations have control themselves, without being dependent on big tech and they thus strengthen their digital autonomy. This is in contrast to commercial VPN solutions where you do not have access to the (often far too complex) technology and documentation such as audits. This creates a strong dependence, for example the commercial provider is the only party that can make and release bugs and/or security fixes.

“In general you can say that closed source mainly benefits the producer of the software and that open source benefits the buyers.” – Professor Bart Jacobs, Radboud University

For the implementation of VPN technology, we opted for OpenVPN in 2014. This is the only product we had enough confidence in, especially because it is the only VPN product that has been internationally audited by security professionals, researchers and governments.

Writing code is deleting

Because we apply this principle, thousands of people in education and research have been using eduVPN for years without any problems. We will of course continue to apply this principle in our product development, because the world in 2022 shows that you can never rest on your laurels when it comes to safety. The same applies when writing code: writing is deleting!


About

eduVPN is the open-source VPN solution for education and research. More than 100 organisations worldwide already use this service. Via eduVPN, employees and students can securely connect to their institution’s network from home. This gives them secure access to protected internal applications such as scientific articles, financial systems, student information systems, license servers and file servers.

To find out more about eduVPN and how to implement it within your organisation, visit eduvpn.org

This article is featured on CONNECT39! Read or download the full magazine here