Brief summary of circumvention built into FreeU Browser
88 views
Skip to first unread message
David Fifield
May 30, 2017, 10:01:32 PM5/30/17
to traff...@googlegroups.com
On or about May 16, 2017, Ukraine blocked various Russian owned
services, including Yandex, VKontakte, and Odnoklassniki.
https://www.rt.com/business/388502-ukraine-bans-vk-yandex/
At the same time, there was a rapid increase in Tor users in Ukraine,
around sevenfold for relay users. Also an increase in Tor Browser
downloads in the en-US (English) and ru (Russian) locales.
https://metrics.torproject.org/userstats-relay-country.html?start=2017-05-01&end=2017-06-15&country=ua&events=off
https://metrics.torproject.org/userstats-bridge-country.html?start=2017-05-01&end=2017-06-15&country=ua
https://metrics.torproject.org/webstats-tb-locale.html?start=2017-05-01&end=2017-06-15
It turns out that part of the increase may be due to FreeU Browser
(https://freeu.online/), a custom version of Chrome that's advertised to
give access to blocked sites. FreeU Browser is being advertised to
Ukrainian users on VKontakte, Odnoklassniki, and Twitter. It turns out
that FreeU Browser was created by Mail.Ru, the Russia-based media
network that owns VKontakte and Odnoklassniki.
Though it is not explictly stated, FreeU Browser bundles Tor for
circumvention. cacahuatl, valdikss, darkk (from #tor IRC), Roger, and I
did some analysis of how FreeU Browser uses Tor. What follows is a
summary. The full account (plus source code, etc.) is here:
https://bugs.torproject.org/22369. This is preliminary and some of it
may be incorrect.
The tor executable is renamed to "freeu_helper", though various signs
indicate that it is actually tor: a torrc file, various library
dependencies, and a proxy configuration referring to
"SOCKS5 127.0.0.1:9050". It doesn't look like they are using any
pluggable transports.
The tor proxy is only activated for the following domains, and only if
they are determined to be disrupted during browser startup:
* vk.com
* vkontakte.ru
* vk.me
* vk.cc
* ok.ru
* odnoklassniki.ru
* odnoklassniki.ua
* ok.me
* vk-cdn.net
* userapi.com
The selection of domains makes it clear that FreeU Browser is intended
for accessing VKontakte and Odnoklassniki, and not for general-purpose
circumvention.
The browser retrieves the above list of potentially proxied domains
dynamically, by downloading obfuscated JSON from one of the URLs:
* https://update.updtbrwsr.com/blckd.json
* https://update.updtapi.com/blckd.json
* https://update.brwsrapi.com/blckd.json
* https://update.mrbrwsr.com/blckd.json
* https://update.savebrwsr.com/blckd.json
* https://update.svbrwsr.com/blckd.json
The deobfuscation algorithm is simple: decode from UTF-8, then for each
character c, output the byte ((c ^ 1234567890) & 0xff).
The JSON consists of stanzas that look like this:
{
"host": "vk.com",
"endpoint": "https://vk.com/ping.txt",
"hash": "b5b607d573e6a901ef215db6b1247404c92bb9ce"
},
{
"host": "ok.ru",
"endpoint": "https://ok.ru/google55e918a7d2970a76.html",
"hash": "526aabc2501699fdcfe5c58f98db82eed849c904"
},
The "hash" value is the sha1sum of what you get if you download the
"endpoint" URL. We speculate that on startup, the browser fetches each
of the "endpoint" URLs, and compares the result to the "hash". If there
is a mismatch, the associated "host" is marked as needing to be proxied
through Tor.
Before May 25, the "endpoint" URLs used http, not https. Then, it would
have been easy for the censor to fool the browser's blocking-detection
algorithm just by whitelisting the few "endpoint" URLs, or by spoofing
replies having the correct sha1sum.
We don't know what happens if the JSON bootstrap domains
(update.updtbrwsr.com, update.updtapi.com, ...) are blocked.
services, including Yandex, VKontakte, and Odnoklassniki.
https://www.rt.com/business/388502-ukraine-bans-vk-yandex/
At the same time, there was a rapid increase in Tor users in Ukraine,
around sevenfold for relay users. Also an increase in Tor Browser
downloads in the en-US (English) and ru (Russian) locales.
https://metrics.torproject.org/userstats-relay-country.html?start=2017-05-01&end=2017-06-15&country=ua&events=off
https://metrics.torproject.org/userstats-bridge-country.html?start=2017-05-01&end=2017-06-15&country=ua
https://metrics.torproject.org/webstats-tb-locale.html?start=2017-05-01&end=2017-06-15
It turns out that part of the increase may be due to FreeU Browser
(https://freeu.online/), a custom version of Chrome that's advertised to
give access to blocked sites. FreeU Browser is being advertised to
Ukrainian users on VKontakte, Odnoklassniki, and Twitter. It turns out
that FreeU Browser was created by Mail.Ru, the Russia-based media
network that owns VKontakte and Odnoklassniki.
Though it is not explictly stated, FreeU Browser bundles Tor for
circumvention. cacahuatl, valdikss, darkk (from #tor IRC), Roger, and I
did some analysis of how FreeU Browser uses Tor. What follows is a
summary. The full account (plus source code, etc.) is here:
https://bugs.torproject.org/22369. This is preliminary and some of it
may be incorrect.
The tor executable is renamed to "freeu_helper", though various signs
indicate that it is actually tor: a torrc file, various library
dependencies, and a proxy configuration referring to
"SOCKS5 127.0.0.1:9050". It doesn't look like they are using any
pluggable transports.
The tor proxy is only activated for the following domains, and only if
they are determined to be disrupted during browser startup:
* vk.com
* vkontakte.ru
* vk.me
* vk.cc
* ok.ru
* odnoklassniki.ru
* odnoklassniki.ua
* ok.me
* vk-cdn.net
* userapi.com
The selection of domains makes it clear that FreeU Browser is intended
for accessing VKontakte and Odnoklassniki, and not for general-purpose
circumvention.
The browser retrieves the above list of potentially proxied domains
dynamically, by downloading obfuscated JSON from one of the URLs:
* https://update.updtbrwsr.com/blckd.json
* https://update.updtapi.com/blckd.json
* https://update.brwsrapi.com/blckd.json
* https://update.mrbrwsr.com/blckd.json
* https://update.savebrwsr.com/blckd.json
* https://update.svbrwsr.com/blckd.json
The deobfuscation algorithm is simple: decode from UTF-8, then for each
character c, output the byte ((c ^ 1234567890) & 0xff).
The JSON consists of stanzas that look like this:
{
"host": "vk.com",
"endpoint": "https://vk.com/ping.txt",
"hash": "b5b607d573e6a901ef215db6b1247404c92bb9ce"
},
{
"host": "ok.ru",
"endpoint": "https://ok.ru/google55e918a7d2970a76.html",
"hash": "526aabc2501699fdcfe5c58f98db82eed849c904"
},
The "hash" value is the sha1sum of what you get if you download the
"endpoint" URL. We speculate that on startup, the browser fetches each
of the "endpoint" URLs, and compares the result to the "hash". If there
is a mismatch, the associated "host" is marked as needing to be proxied
through Tor.
Before May 25, the "endpoint" URLs used http, not https. Then, it would
have been easy for the censor to fool the browser's blocking-detection
algorithm just by whitelisting the few "endpoint" URLs, or by spoofing
replies having the correct sha1sum.
We don't know what happens if the JSON bootstrap domains
(update.updtbrwsr.com, update.updtapi.com, ...) are blocked.
Reply all
Reply to author
Forward
0 new messages