It is time to audit OpenSSL 1.1.1 (the first v…

OpenSSL powers millions of websites and devices. It is the de-facto crypto library used by business and governments alike.

We all remember big security problems stemming from problems with OpenSSL, HeartBleed, Logjam, FREAK, side-channel timing attacks, Debian weak RNGs, the NSA compromised Dual_EC_DRBG, and so on.

OSTIF is a non-profit that is raising money to audit OpenSSL 1.1.1 in public. The reason that this particular revision is important is that it is the first version to implement TLS 1.3 and some other major changes to the codebase such as updated random number generators.

We have an established track record of organizing the community to get these audits done. We successfully reviewed VeraCrypt and OpenVPN, and currently have a project in partnership with Monero Research Lab to review a new type of range proofs called Bulletproofs.

Right now, DuckDuckGo is matching donations to this project that are made through Crowdrise, and we need the communities help to make this happen. Please contribute what you can. OpenSSL is something we all use every day, behind the scenes of our secure websites and apps.

We’ve made a huge effort to try to accept every payment method possible. We now accept 12 cryptocurrencies, we are on Amazon Smile and HumbleBundle, Square, Paypal, Venmo, and so on.

Our CrowdRise campaign is here:

For more information, you can visit our website at

I am the CEO, Derek Zimmer, and I will be answering questions in this post until they stop coming in. AMA!


I’m revisiting one of the books that got me into mathematics and crypto, God Created the Integers by Stephen Hawking. We lost a great man yesterday.

Found here