Often times, blogs or articles with titles like this one will contain bad news. That isn’t the case here! We’re sharing the results of our security review, and how that bolsters our new security features in the upcoming NATS server 2.0 release, expected in Q2 2019.
In November of last year, the CNCF sponsored Cure53 to perform a security audit of the NATS server and some of the more popular NATS clients. We setup a secure server for Cure53 to attack and they analyzed our source code.
“Cure53 chose a two-pronged approach to testing against NATS. In order to maximize coverage, the testers performed a source code audit, as well as engaged in classic penetration testing against a NATS-provided cloud instance.”
Overall, we feel NATS came out with flying colors. The server had one low rated vulnerability which was immediately fixed.
Simplicity pays off. The report noted that most of the NATS clients are small in comparison to other projects evaluated, thus presenting a small attack surface. Our canonical Go client had no issues reported. In the C client there was a critical overflow issue which was immediately fixed and all other issues have been fixed or addressed by the NATS team.
The full report can be found here.
Private keys? We don’t need them.
We also asked Cure53 to analyze NKEYS (NATS Encoded Ed25519 keys) and our JWT technology which is used by the upcoming NATS security features in the NATS server 2.0 release. No vulnerabilities were found.
In version 2.0, NKEYS and NATS JWTs are used in a nonce-based client connect protocol, where the server holds a public NKEY and the client signs the nonce with its private NKEY. This allows NATS to be a zero trust system, where the server never ever reads or accesses your private keys used to connect. When combined with accounts and secure data sharing between accounts, security in your deployment can become decentralized.
Stay tuned for more about the NATS Server version 2.0, coming soon!