How secure is Urbit right now?
We consider some parts of Urbit to be secure, while other parts still need some work and external auditing. For technical details on Urbit's cryptosystems, see the documentation.
Urbit ID / Azimuth, Urbit's identity layer, is live on the Ethereum blockchain and has been audited by Open Zeppelin, Blockchain at Berkeley, and Bloctrax.
In late 2020, Urbit's Ames networking protocol was audited by Leviathan Security. You can read about this milestone here.
The security of the runtime, Vere, has not yet been adequately assessed or systematically hardened.
All communication on Urbit is end-to-end encrypted. However, the event log is not encrypted at rest but we plan to give users that option in the future.
Tlon keeps a quantum computing expert on staff and understands that post-quantum cryptographic methods must be implemented sooner than later, since any data not already encrypted using these methods is at risk of being collected and decrypted once sufficiently powerful quantum computers exist. NIST anticipates the release of their preliminary findings on post-quantum cryptography standards around the end of 2021, with full guidelines following in 2024. Tlon will develop a strategy for post-quantum encryption for Urbit following their recommendations.
Thus, while Urbit is probably more secure and private than most digital communication channels, we cannot yet consider it impervious to a dedicated attacker. If you are a cybersecurity expert looking for work, get in touch with Tlon at [email protected].