Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Passbolt security audit findings: what do the cryptographic gaps mean?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Seven findings and seven informational issues emerged after six days of cryptography review in Passbolt’s 2021 security audit, with high-severity gaps centred on transport-layer encryption guidance and nonce generation in GpgAuth, according to Passbolt and Cure53. The audit shows that clear security specifications matter as much as implementation quality for identity and secret-handling systems.

NHIMG editorial — based on content published by Passbolt: Passbolt security audit 2021 - Part 1

By the numbers:

Questions worth separating out

Q: What breaks when secure transport is left to administrators in an identity system?

A: Security breaks at the trust boundary.

Q: Why do nonce requirements matter in challenge-based authentication?

A: Nonce requirements matter because the challenge must be unique and used once to preserve authentication integrity.

Q: How can security teams tell whether a specification is secure enough to implement?

A: They should look for unambiguous, testable statements about transport security, challenge handling, expiry, and access removal.

Practitioner guidance

  • Enforce TLS at the platform boundary Require HTTPS by default for any secret or authentication flow and block insecure cipher suites in the deployment baseline.
  • Specify one-time challenge behaviour explicitly Document nonce usage as a hard protocol requirement, then test for single-use challenge semantics in every implementation that participates in authentication.
  • Review security specifications for ambiguous control language Trace every statement about encryption, authentication, expiry, and permission removal back to a testable requirement.

What's in the full article

Passbolt's full audit write-up covers the operational detail this post intentionally leaves for the source:

  • The full breakdown of the cryptographic findings, including the exact wording of the high-severity issues and the related implementation recommendations.
  • The audit context around GpgAuth challenge handling, nonce expectations, and why the specification language matters to implementers.
  • The additional suggestions around password expiry flags and passphrase generation that were not explored in depth here.
  • The closing notes on future audit parts and the broader security whitepaper context for the platform.

👉 Read Passbolt's security audit findings on cryptographic specification gaps →

Passbolt security audit findings: what do the cryptographic gaps mean?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Specification ambiguity is a control failure, not a cosmetic issue. The audit shows that undefined behaviour in cryptographic and authentication specifications can create security drift even when the code path is not immediately exploitable. That matters because implementers and operators make different assumptions when the documentation is incomplete. In identity systems, ambiguous behaviour is itself a governance defect, not just a documentation gap. The practitioner conclusion is that precise security semantics belong in the control design, not in post-hoc interpretation.

A few things that frame the scale:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when insecure protocol choices are left open in a secrets platform?

A: Accountability is shared, but it should be explicit. Product teams must define the security behaviour, and operators must enforce the deployment baseline. When the specification leaves room for insecure transport or unclear challenge semantics, the organisation owns the risk because the control was never made deterministic enough to govern reliably.

👉 Read our full editorial: Passbolt security audit 2021 shows specification gaps in cryptography



   
ReplyQuote
Share: