Hackers donate 90% of profit to charity 2019/06/13

NGI Zero awarded two EC research and innovation actions 2018/12/01

EC publishes study on Next Generation Internet 2025 2018/10/05

Bob Goudriaan successor of Marc Gauw 2017/10/12

NLnet Labs' Jaap Akkerhuis inducted in Internet Hall of Fame 2017/09/19

  Help grow the future. Donate

Internet Hardening Fund

NLnet has an open call as well as thematic funds. This page contains an overview of the projects that fall within the topic Internet Hardening Fund. If you cannot find the project you are looking for, please check the alphabetic index.

ARPA2 Steamworks

ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design.

>> Read more about ARPA2 Steamworks

Declarative web service security -- Declarative web service security in NixOS

This project aims to make NixOS the first computer operating system to package TLS Pool as a service component, and will allow to combine the power of declarative packaging with the unique security characteristics of TLS Pool to create a solid and versatile delivery channel for decentralised internet applications.

>> Read more about Declarative web service security


The DIME project has three distinct goals: to make end-to-end email encryption transparent and automatic, to minimize the leakage of metadata, and to enshrine the standards which make automation resistant to manipulation by advanced persistent threats. This has led to the development of a set of protocols and data formats which combine the best of current technologies into an integrated system that gives adequate protection, yet remains flexible. It allows for people to improve their security without sacrificing functionality.

>> Read more about DIME

getdns -- getdns - A reliable DNSSEC providing stub resolver

Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027).

>> Read more about getdns


Gun is a realtime, decentralized, offline-first, graph database engine. GUN works peer-to-peer by design, meaning you have no centralized database server to maintain or that could crash. It allows to build decentralized, federated, or centralized apps. The SEA (Security, Encryption, Authorization) framework allows to use the latest native Web Crypto API for cryptographic functions like ECDSA, PBKDF2, AES, and more. With GUN developers can build fully decentralized end-to-end encrypted applications, using a "web of trust" mechanism.

>> Read more about GUN

Magic Wormhole -- Magic Wormhole + SPAKE2

SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure (read the paper [ local copy ]. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS.

>> Read more about Magic Wormhole


Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances.

>> Read more about Namecoin

nftables-xfrm -- nftables-xfrm

The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems.

>> Read more about nftables-xfrm


The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a Cortex-M3 processor and stores all keys in the CPUs flash. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including "post-quantum" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols providing different aspects of overall security.

>> Read more about Pitchfork

PKCS#11 v3 -- PKCS#11 standardisation

PKCS #11 is the de facto standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data). Due to the age of the standard, it was lacking a number of modern, so called 'quantum-resistant' algorithms. This small project enables open source developers from the Pitchfork project to contribute a number of important algorithms to the OASIS PKCS #11 standards committee in time for the pending new version of PKCS #11.

>> Read more about PKCS#11 v3

Redwax -- Redwax

The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web. These can be combined to form various types of certificate authorities, issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The aim of the project is keep the security footprint and the number of dependencies as low as possible.

>> Read more about Redwax


The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities — identified by their public key — these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places.

>> Read more about SecuShare

SecuShare-box -- SecuShare Box

An operating system extension for hardware devices that turns them into automatable nodes in a distributed social mesh network, independent of central control. The objective is to offer an alternative to cloud-controlled IoT, empowering the owner of a device instead of its manufacturer. IoT devices are cryptographically linked to their owner's smartphones, PCs or other interfaces, using an initial vicinity rendez-vous procedure, akin to how bluetooth devices "pair". This integrates the new IoT device into the owner's social graph as a resource that can potentially be shared with others without the hassle of exchanging unsafe passwords.

>> Read more about SecuShare-box

Stubby -- Stubby - A DNS Privacy enabled stub resolver

Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server.

>> Read more about Stubby


This project aims to implement the proposed TLS-KDH protocol into a production ready implementation. TLS-KDH is a design from Rick van Rein (ARPA2) that combines the benefits of Kerberos and Diffie-Hellman key exchange into a single unified solution that can be used to add additional security and flexibility to internet resources. Kerberos lends itself well to infrastructure-supported mutual authentication, and can even be used to crossover between realms. A downside of this infrastructure is that a crack of one key can lead to a cascade of reverse-engineered keys. Diffie-Hellman key exchange, nowadays primarily in its Elliptic-Curve variation, can be used to incorporate the desirable property of Forward Secrecy, but its vulnerability to man-in-the-middle attacks must then be overcome by cryptographically binding it to an authentication mechanism. The project will create a production quality implementation based on the open source GnuTLS codebase.

>> Read more about TLS-KDH


VPN technology is a key enabler for end user security in insecure environments. Vita aims to achieve high performance (beyond 10G speeds) on commodity server hardware. Vita is intended to be both simple in terms of code, as well as in terms of deployment, and non-invasive to deploy in existing networks. Vita also strives to be affordable, in terms of both energy footprint and cost of maintenance: its goal is to make the best possible use of commodity hardware while remaining easy to deploy safely.

>> Read more about Vita

Wireguard -- Wireguard

In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry.

>> Read more about Wireguard


Send in your ideas.
Deadline April 1st, 2020.

Help fundraising for the open internet with 5 minutes of your time

Project list

Project abstracts