Send in your ideas for NGI Taler/Fediversity. Deadline August 1, 2026

Internet Hardening Fund

Projects funded from the Internet Hardening Fund

This page contains a concise overview of projects funded by NLnet foundation that belong to Internet Hardening Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more.

Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these.

Certbot ECDSA support
logo

Certbot, part of EFF’s larger effort to encrypt the entire Internet, is a free, open source software tool used to encrypt traffic to tens of millions of websites. By automatically generating and configuring Let’s Encrypt certificates on webservers to enable HTTPS, Certbot improves the privacy and security of hundreds of millions of users worldwide. The project strives to provide the highest standard of security, which is why we are keen to implement Elliptic Curve Digital Signature Algorithm (ECDSA) support. ECDSA support in Certbot will improve privacy, performance, and trust for Internet users via improved authentication and security.

Read more about Certbot ECDSA support.

DIME — A new encrypted, end-to-end email protocol
logo

The DIME project has three distinct goals: to make end-to-end email encryption transparent and automatic, to minimize the leakage of metadata, and to enshrine the standards which make automation resistant to manipulation by advanced persistent threats. This has led to the development of a set of protocols and data formats which combine the best of current technologies into an integrated system that gives adequate protection, yet remains flexible. It allows for people to improve their security without sacrificing functionality.

Read more about DIME.

Faster and configurable datapath/Linux xfrm — Rewriting nftables to optimise for xfrm
logo

The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems.

Read more about Faster and configurable datapath/Linux xfrm.

GetDNS — Deliver DNSSEC as a building block in harsh environments
logo

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027).

Read more about GetDNS.

GnuTLS — Implement TLS-KDH in GnuTLS
logo

TLS-KDH is a mechanism that adds Kerberos authentication to the Transport Layer Security (TLS) network protocol. TLS-KDH is developed under the flag of ARPA2 (www.arpa2.net) and is formalized in the form of a draft Internet specification for the IETF RFC standards track. This project serves to create a prototype implementation of the protocol within GnuTLS.

For a more extensive overview of advantages of TLS-KDH we refer to the project homepage (http://tls-kdh.arpa2.net).

Read more about GnuTLS.

GUN P2P Encryption — A realtime, decentralized, offline-first, graph database engine
logo

Gun is a realtime, decentralized, offline-first, graph database engine. GUN works peer-to-peer by design, meaning you have no centralized database server to maintain or that could crash. It allows to build decentralized, federated, or centralized apps. The SEA (Security, Encryption, Authorization) framework allows to use the latest native Web Crypto API for cryptographic functions like ECDSA, PBKDF2, AES, and more. With GUN developers can build fully decentralized end-to-end encrypted applications, using a "web of trust" mechanism.

Read more about GUN P2P Encryption.

Improving Matrix E2E encryption UX — Better usability of Matrix.org E2E encryption
logo

When using end-to-end encryption without a centralized oracle, the mechanisms to distribute and verify keys are critical. Matrix.org is an non-profit open source project dedicated to creating and maintaining an open and secure global network for decentralised real-time communication. Its mission is to make encrypted decentralised open communication a basic human right: empowering users to choose which services they use to communicate without being fragmented and held hostage within proprietary communication silos. Matrix currently has over 1.8M addressable users, 2,800 deployments, and the Matrix.org server receives over 1.1M messages a day. One can consider Matrix an open real-time data fabric for the web, providing somewhere for users and devices to publish and persist arbitrary data that can be subscribed to as desired.

This project tries to fix the biggest blockers of E2E encryption, which partly lie with technology but partly also are due to overall UX issues. It solves various issues such as key sharing completion, making sure that E2E VoIP calls work. At the same time it will address user driven features such as the ability to request history from before the point you're invited to a room and have that safely decrypted for reading. Finally, the project will deal with better UX for displaying keyshare requests rather than modal popup, and delivering configurable paranoia levels per room.

Read more about Improving Matrix E2E encryption UX.

Magic Wormhole/SPAKE2 — Securely send files between two computers with minimum fuss
logo

SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS.

The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities.

This project will try to make SPAKE2 primitives available to mobile app developers and will support standardisation of SPAKE2 inside the IETF.

Read more about Magic Wormhole/SPAKE2.

Modular CA — Modular infrastructure for building secure internet services
logo

The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web. These can be combined to form various types of certificate authorities, issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The aim of the project is keep the security footprint and the number of dependencies as low as possible.

Read more about Modular CA.

Namecoin — Decentralized, censorship resist Internet infrastructure for e.g. DNS and identities
logo

Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances.

Read more about Namecoin, Namecoin: TLS.

Nixcloud — Declarative internet services based on NixOS
logo

This project aims to make NixOS the first computer operating system to package TLS Pool as a service component, and will allow to combine the power of declarative packaging with the unique security characteristics of TLS Pool to create a solid and versatile delivery channel for decentralised internet applications.

Read more about Nixcloud.

Pitchfork — Open hardware for compartmentalizing key material and cryptographic operations
logo

The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a minimalist Cortex-M3 processor and stores all keys in the CPU flash memory. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including "post-quantum" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols, providing different aspects of overall security.

Read more about Pitchfork, Pitchfork PKCS#11.

Pretty Easy Privacy — At scale simulation over GNUnet with different realistic user behavior scenarios
logo

The “Emulation over GNUnet for large user numbers and diferent realistic user behavior scenarios plus tuning“ serves as a preparation and prerequisite for the integration of GNUnet into p≡p‘s encryption app-solutions to obfuscate not only content but also metadata of written digital communications. p≡p wants to protect not just the contents of communications, but also its metadata (who communicates with whom, from who etc.) to allow for anonymous communications. p≡p has the goal, to have GNUnet (one of the official GNU projects) integrated in its core technology as the “holy grail” to fully restore privacy by technical means and to bridge people from classical means of communications (email, existing chat protocols) towards the fully decentralized GNUnet peer-to-peer network. With the simulation of GNUnet's behavior for large user numbers and different realistic user behavior scenarios we want to test and improve its stability and scalability.

GNUnet protects metadata by tunneling text messages on identity- as well as account-level. GNUnet is a framework for secure peer-to-peer (P2P) networking, which is censorship-resistant, provides end-to-end encryption and is able to not just protect contents, but also metadata, thus anonymizing who’s communicating with whom and finally restoring full privacy. GNUnet's functioning doesn’t rely on any central infrastructure. It allows to bypass classic communication channels like email, if both peers have GNUnet.

So far there is no information if GNUnet is reliable for large numbers of users. The integration into p≡p will be the first real-world mass-deployment of GNUnet. In order to facilitate a scalable configuration or adaption of GNUnet in p≡p, we thus want to build a simulation of user behavior for p≡p over GNUnet. We will model which shares of written digital communication can be expected on which devices and how GNUnet behaves for these data traffics. The simulation will be done for different user numbers (e.g. 1k, 10k, 100k, 1mio) as well as for various user behavior scenarios and net structures (e.g. preconditions for net neutrality/censorship by governments etc.). Scientific groundwork and expertise (e.g. “Large Scale Distributed Evaluation of Peer-To-Peer Protocols”, Sree Harsha Totakura, 2013) as well as close contact with the GNUnet team is at hand. This simulation will gain crucial insights for GNUnet deployments in real world situations being of major importance for related FOSS projects far beyond the integration into p≡p, so secure communication over a free Internet can be achieved.

Read more about Pretty Easy Privacy.

SecuShare — A framework for sufficiently safe social interaction
logo

The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places.

Read more about SecuShare, Secushare Box.

Stubby — A local DNS Privacy stub resolver using DNS-over-TLS
logo

Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC 7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server.

More information about DNS-over-TLS: https://tools.ietf.org /html/rfc7858

Read more about Stubby.

TLS-KDH — Combined Kerberos and Diffie-Hellman as an authentication mechanism for TLS
logo

This project develops a number of additions to the open source TLS library GnuTLS. Based on the prototype for TLS-KDH (http://tls-kdh.arpa2.net) that was developed as a branch of GnuTLS, we now need to do a full implementation that incorporate the features from this development branch into GnuTLS’ main branch. By doing so our TLS-KDH mechanism becomes automatically available for the general public worldwide. However, additional work needs to be done for these two branches to be merged. Compatibility issues need to be checked and resolved and test cases need to be written to ensure proper functioning of the library, now and in the future.

Additionally, TLS-KDH relies on RFC7250 (https://tools.ietf.org/html/rfc7250). The functionality described in this RFC is not yet implemented in any TLS library and concerns Raw public keys. As part of our TLS-KDH implementation we have implemented RFC7250 partially (what was needed for TLS-KDH). However, we have noticed the interest of the GnuTLS community in the complete RFC7250 functionality. Therefore, in order to deliver a complete ‘product’ we also want to implement the rest of RFC7250 and incorporate it into GnuTLS. Thereby creating the first TLS library that support Raw public keys.

This enables a more light-weight mechanism for transmitting public key material between peers. Finally, to ease adoption of the TLS-KDH mechanism and to provide in a default Kerberos binding for TLS, we want to implement a gnutls - krb5 library (similar to the already existing gnutls-dane library).

The current TLS-KDH implementation separates the TLS and Kerberos layers by design. While this is good design practice and offers the user great flexibility for choosing its own Kerberos implementation, it also requires (a lot) more work to be done in order to get the TLS-KDH mechanism going. By introducing a gnutls - krb5 library ( choosing MIT Krb5 ) users can benefit from a default TLS Kerberos binding thereby relieving themselves from having to implement such a binding. It therefore eases adoption and use of the TLS-KDH mechanism. At the same time, keeping the TLS and Kerberos layers separated still enables different Kerberos libraries to be used when desired. Also a layered architecture works in favor of code acceptance.

Read more about TLS-KDH, ARPA2 Steamworks, Remote PKCS#11, Key Management.

Vita — A fast IPSEC-based VPN gateway
logo

VPN technology is a key enabler for end user security in insecure environments. Vita aims to achieve high performance (beyond 10G speeds) on commodity server hardware. Vita is intended to be both simple in terms of code, as well as in terms of deployment, and non-invasive to deploy in existing networks. Vita also strives to be affordable, in terms of both energy footprint and cost of maintenance: its goal is to make the best possible use of commodity hardware while remaining easy to deploy safely.

Read more about Vita.

WireGuard — A fast and modern VPN that utilizes state-of-the-art cryptography
logo

In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry.

Read more about WireGuard.

WPIA CA Infrastructure — Deployment infrastructure for certificate authorities
logo

World Privacy and Identity Association is an effort to create and setup a Trusted Service Provider to deploy digital certificates to the public for free. One part of this project (and the association behind it) is the development of software to setup and operate a Certificate Authority. The software is developed from scratch, and is released under an AGPL license. The repository resides on code.wpia.club.

The primary goal of the publication of the software is to grant check and control to the public. Trust is the basis of all. If someone wants to use the software for his own business he may do so. The real target of the project is to provide individuals and organisations with reliable and accountable digital certificates using PKI technique. Certificates should always match the CA/Browser Forum Baseline Requirements and be compatible with ETSI. Individuals will get their certificates for free (free as in free beer). Digital certificates help all people to keep fundamental rights as e.g. privacy and identity. As such, WPIA intends to provide an alternative to Let’s Encrypt.

Read more about WPIA CA Infrastructure.

lib25519: Secure and efficient computation of X25519 and Ed25519

Modern network protocols rely on elliptic-curve cryptography (ECC) to protect communication against espionage and sabotage. ECC is faster than RSA, but it still consumes many CPU cycles, especially when an attacker floods a server's CPU with requests. This project's lib25519 is a new software library for the Curve25519 elliptic curve, including the X25519 encryption system and the Ed25519 signature system. Curve25519 is the fastest curve in TLS 1.3, and the only curve in Wireguard, Signal, and many other applications. This library exploits the features of Intel CPUs to provide top speeds for those CPUs, in particular setting new speed records for X25519 key generation and Ed25519 signing, while meeting the security constraint of not leaking secret information through timing.

Read more about lib25519: Secure and efficient computation of X25519 and Ed25519.