OpenMLS independent security audit: results, history, and what comes next

Sign in<br>Subscribe

OpenMLS, our implementation of the Messaging Layer Security (MLS) protocol, has undergone a security audit conducted by SRLabs and sponsored by the Sovereign Tech Agency.<br>The audit is an important milestone for OpenMLS. In this post, we share the results and take the opportunity to give a broader introduction to OpenMLS.<br>Audit results<br>SRLabs found eight issues in total, one of which was rated “High” severity. Fixes for seven of the eight issues have already been merged and were published with version 8.1 and 7.3 of the openmls crate. The remaining issue, rated “Low” severity, is currently being addressed.<br>If you are interested in the details, you can download the full audit report.<br>We would like to thank the Sovereign Technology Agency for sponsoring the audit and for their continued support of open-source security infrastructure. We are also grateful to the team at SRLabs for the thorough review, the constructive collaboration, and their support throughout the remediation process.<br>With the audit complete and the findings addressed, this is a good moment to take a step back and introduce OpenMLS to those who want to learn more.<br>The Messaging Layer Security (MLS) protocol<br>OpenMLS is an implementation of RFC9420, the specification of the MLS protocol at the IETF. Among other things, MLS allows clients to create groups, manage group membership, send messages, and agree on cryptographic keys. It provides authenticity and confidentiality for messages and allows clients to update their key material to secure past and future messages in case of client state compromise. With a key update complexity in O(log n), where n is the number of group members, MLS is designed to be performant even in large groups. For more information, see our overview blog post on MLS.<br>OpenMLS origins and evolution<br>OpenMLS began its life as Maelstrom, a personal project by Raphael Robert, who started the implementation in 2019 when MLS was still in its early design stages. Maelstrom was open-sourced in May 2020 and subsequently renamed to OpenMLS in November 2020. In that month, the license was changed from GPLv3 to MIT. In 2022, the maintainership transitioned to the freshly incorporated Phoenix R&D. Later that year, Cryspen joined forces and became a co-maintainer.<br>Today, OpenMLS has 5 maintainers across both companies and a steadily growing community of contributors.<br>OpenMLS is the second-oldest MLS implementation after Cisco’s C++-based MLS++. Since its inception, OpenMLS has tracked most of the changes across the 20 drafts the MLS specification went through before it became RFC9420.<br>When the MLS specification was in its final stages, OpenMLS began interoperability tests, first with MLS++ and then with mls-rs. It has since been tested against other libraries, such as BouncyCastle’s Java implementation and ts-mls.<br>OpenMLS today<br>Since its inception, OpenMLS has received code contributions from 55 individuals, across 1800+ commits, and has been forked 147 times. Today, OpenMLS is used in 181 repositories and 27 packages. Its source is published under the MIT license on GitHub, and the openmls Rust crate is available on crates.io, with 3500 daily downloads at the time of writing. These numbers likely make OpenMLS the most widely used MLS implementation across projects.<br>With two small exceptions, OpenMLS is a feature-complete implementation of RFC9420. It allows users to bring their own storage provider, random number generator, and implementations of cryptographic primitives. OpenMLS performs all of RFC9420’s prescribed validation checks and implements a robust, type-based message validation pipeline.<br>As of today, OpenMLS is widely used by a range of applications. We at Phoenix R&D use it to power our new secure messenger, Air. Other notable open-source apps that use OpenMLS include Nostr, XMTP, Cloudflare’s Meet, Wire, and CoverDrop in The Guardian’s news app. OpenMLS is also used in various closed-source applications that have not made its use public.<br>The road ahead<br>The MLS ecosystem is alive and well. RFC9420 was published in 2023, and several drafts are on their way to becoming an RFC.<br>OpenMLS is actively maintained, and we are tracking multiple drafts, such as the MLS extensions draft, the virtual clients draft, the targeted messages draft, and the PQ ciphersuites draft. That last draft will finally bring post-quantum security to OpenMLS. For each draft, we are exposing our work-in-progress through feature flags for those brave or curious enough to try out the new functionality.<br>Besides tracking specification work, we are also constantly trying to make OpenMLS more accessible. Among other things, we want to allow applications to use async storage providers and improve the support for custom ciphersuites.<br>Get in touch<br>If you’re interested in OpenMLS, check it out on GitHub. For community support, you can join our Zulip instance. For...