Download Ultrasurf 13.05 Full
Rocki Stenger
In the summer of 2011, I spent a few months learning how to effectively reverse engineer Windows software. I'm still learning and while I have a lifetime of learning to do on the topic, I chose to audit Ultrasurf as a challenge. This research was performed as a labor of love and it was funded work. My interest in reverse engineering Ultrasurf comes entirely because I have seen people promoting it without also offering evidence that it is safe. Additionally, a few people had asked me what I thought of the software and in order to form an opinion, I decided to dig deeper.
Ultrasurf is software produced by the UltraReach company for censorship circumvention, privacy, security and anonymity. Unfortunately for them, I found their claims to be overstated and I found a number of serious problems with Ultrasurf.
Most of my research was done while traveling in Brazil, Canada, Germany, and very small amount of it was performed in the US. Additionally, a number of interesting data points in my research paper came from interception devices in Syria. As of early April 2012, an independent tester confirmed many of my findings from China; the versions of Ultrasurf tested did directly connect to blocked addresses and did not in-fact work at all. Newer versions appear to have different, not yet blocked, addresses baked into the program.
I believe that coordinated disclosure is reasonable in most cases and I ensured that Ultrasurf was notified long before the publication of this blog post. I had a face to face meeting in early December of 2011 to discuss my findings with the lead developer of Ultrasurf and to give them time to fix the problems that I discovered. Ultrasurf updated their website to change a number of their security, privacy and anonymity claims; they did not actually remove all of the bogus claims, merely the most egregious statements. Our meeting was overall quite positive and in fact led me to write notes that may become a second paper.
However, for various reasons, I've had to sit silently on this report for nearly four full months after our December meeting. I believe it is important to ensure that the issues discovered and discussed in my paper are resolved and that users are not kept in harm's way. I have serious concerns about ongoing security issues for the users of Ultrasurf and that is my primary reason for wishing to perform and release this research for all to see.
Here's the abstract of the paper:
Ultrasurf is a proxy-based program promoted for Internet censorship circumvention. This report gives a technical analysis of the Ultrasurf software and network. We present the results of reverse engineering the Ultrasurf client program, give an in-depth study of the known Ultrasurf network, especially those portions that interface in some way with the client or the Internet, and discuss network signatures that would allow an adversary to detect its use on a network. We cover client bootstrapping methods, censorship and censorship resistance, anonymity, user tagging by Ultrasurf and other parties, cryptographic internals and other previously unknown or undiscovered details about the Ultrasurf client and the Ultrasurf network. We find that it is possible to monitor and block the use of Ultrasurf using commercial off-the-shelf software. In particular, BlueCoat sells software and hardware solutions with such capabilities that have been deployed in Syria and other countries.
The vulnerabilities presented in this paper are not merely theoretical in nature; they may present life-threatening danger in hostile situations. We recommend against the use of Ultrasurf for anonymity, security, privacy and Internet censorship circumvention.
The main substance of the paper takes the time to refute nearly all of the claims that UltraReach makes on their website about their software Ultrasurf:
This paper addresses the following claims by UltraReach and other Ultrasurf advocates about the Ultrasurf client and Ultrasurf network:
The issues involved in the writing, discussion and publication of this report are the stuff of movies. It has taken ages to publish this report and attempts at coordinated disclosure have been time consuming, largely fruitless and extremely frustrating. While some of the issues I have identified have been fixed, to the best of my knowledge the most important issues, such as a lack of forward secrecy, remain serious outstanding security issues. Ultrasurf often boasts of their decade long fight against censorship and while I respect the spirit of their efforts, I have a hard time respecting the technical implementation. I'm afraid that they've not had forward secrecy in their cryptographic protocol for that entire decade. Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested. These kinds of security failures, both social and technical, are simply negligent and it means that users have been and are likely still in harm's way.
I firmly believe that Ultrasurf must publish their full technical specifications, peer review their designs of both obfuscation and cryptography, open their source code for the world to review and they must absolutely discontinue all data retention without exception.
Update:
UltraReach/Ultrasurf have released a response document and a response page that confirms a number of my claims, side steps a large swath of them and then attacks me, Tor and others for the report. They specifically claim that what is true in my paper is for older versions of Ultrasurf. They do not disclose which versions or when the fixes were released. This is a typical vendor tactic considering that they pressured me not to release the report until they felt they were given enough time to fix the issues involved. They also believe that I claim that Ultrasurf was broken but at no time did I ever claim it was broken; rather, I said it has problems. The claims they made and make do not live up to the implementation of policies or technical capabilities. This I think is quite reasonable because their claims were, frankly, entirely unreasonable.
I put a great deal of time and effort into disclosing these report findings to Ultrasurf - both what would be considered responsible and coordinated - it's too bad that they've decided to ignore most of the findings and to attack me over the undefendable issues.
Another Update: Collin Anderson has written up his view of the disclosure process. He is an independently involved third party that attempted to mediate our disclosure, solutions and a reasonable time frame for all parties involved.
It was funded work. However, I spent a ton of time learning about Windows reversing and other issues in my spare time. I wouldn't have stuck with the project if I hadn't felt personally interested in the topic.
So, please disclose funding. I was going to also ask why this wasn't published somewhere other than a blog... then I read it. There's no science here. No evidence, no reproducible results. It's basically a long rant. Links to other people's work, mixed with opinions.
It's on the Tor blog, I work for Tor. Though most of the work was done by not having weekends or evenings. As far as peer review - I've just done the peer review of Ultrasurf's claims and I encourage them to submit _their_ work for peer review.
You're absolutely able to reproduce the report's results - look at the packet traces, look at what is written to disk, run the binaries in the Appendix and watch the communication with the network blocks listed, crash the program and disassemble the core files, etc.
In any case, I have discussed my results with Ultrasurf and others, including the DETER lab at UC Berkeley, where Ultrasurf confirmed nearly every single issue in the paper, as we went over it, line by line. We've also disputed things at times, obviously. They think that running a single hop proxy is reasonable with data centers in the US - I think that's a rather crazy idea, personally.
In any case, Ultrasurf has actually changed a few things and I'm happy to see the few minor changes that have been made in the last five months. However, I'm quite sad that they're shipping proprietary tools, without peer review, that they were using Google data analytics, that they're unable to patch their server software in timely manner and so forth. I'm glad they removed the Google analytics cookie but ironically, they still tag users with a Youtube cookie on their front page. :(
Ultimately, I think the authors of Ultrasurf have their hearts in the right place but without opening up the details, I want to see concrete proof that they have a solid design, not simply assertions about a perfect system, especially with their data retention issues. They've scaled back a few of their claims on their website, which I think is a nice thing, but I'd like to see some technical specifications rather than hand waving.
There's a six page limit for FOCI (which well, I'm on the PC for as well) - I suppose it's possible with my other two submissions but those come first, I think. It's a good suggestion but I suspect I'll end up hashing it out in real time online.
Please note that Ultrasurf replied, confirmed a bunch of my statements, made it a mud slinging battle and then entirely ignored entire swaths of the paper because they didn't understand it at all:
-response-to-Tor-definitive-review.pdf
There is one thing you want to make it clear. Tor is competing fund with Ultrasurf, right? That will explain everything. Why you spent so many hours not enhancing your system and serve your users, but attacking another system. I will respect you if Tor can allow millions of Chinese users to break the firewall. I challenge you to release your daily traffic statistic and compare with what Ultrasurf has. Sigh, what a waste of time.
An open proxy that broadcasts the fact that you're using Ultrasurf by spamming out weird "chaff" HTTPS requests? An open proxy that auto-updates itself to whatever the Chinese firewall tells it to download?
b1e95dc632