Strengthening Snow for the open source community

At 1Password, we regularly invite outside experts to challenge our assumptions and strengthen our security.  We encourage security researchers to participate in our bug bounty programs, and have spent years building a collaborative research environment. We also believe in the benefit of open source software and standards, which raise the bar for the industry as a whole, while ultimately benefiting our 1Password customers.

That’s why we funded an independent security assessment of the open source library Snow, worked closely with the maintainer on remediation, and are making the results publicly available for anyone to review.

Why we invested in Snow 

Snow is a Rust implementation of the Noise Protocol Framework, a system for building secure channels using customizable cryptographic handshake patterns based on Diffie-Hellman key exchange. We rely on Noise-protected channels in parts of 1Password. Since Snow gives Rust developers an implementation of that framework, that makes it, for us,  part of the security foundation we care about getting right. Funding validation on Snow allows us to improve something we care deeply about while giving back to the open source community that helps make 1Password possible. 

We are active contributors to Snow. The pull requests we’ve opened and the independent security assessment we funded reflect our commitment to helping strengthen the project. 

What Trail of Bits found

Trail of Bits reviewed Snow through a combination of manual review and automated testing over four engineer-weeks. Their report identified 10 findings in total: one medium-severity issue, one low-severity issue, and eight informational findings. The most important issue discovered was a nonce-handling bug that could let an attacker permanently disrupt an encrypted channel without knowing any cryptographic secrets. Another finding showed that invalid PSK indices could trigger a panic, creating a denial-of-service condition. 

For more details on the engagement, including the informational findings, please read the published security assessment.

We then worked with Jake McGinty, the Snow maintainer, to remediate the issues, and with Trail of Bits to validate the fix. To date, 8 of the 10 findings are resolved, including the medium-severity nonce-handling flaw, the invalid-PSK panic, message-length enforcement. Two longer-horizon informational items remain and we believe neither impact the security of the Snow library.

What’s next?

Open source security work is most valuable when it doesn’t stop at identifying problems. Funding an audit with transparent results matters, but working with maintainers to responsibly land fixes matters even more. That is how we help raise the security bar not just for one company, but for the larger community that depend on the same foundational building blocks. 

If you’re building in Rust and need the Noise Protocol Framework, take a look at Snow. Read the audit, review the code, and try it in your own projects. Open source becomes stronger when more developers use it, test it, and invest back into it. We’re excited to see what you build.