Ultrasurf: the definitive review

In the summer of 2011, I spent a few months learning how to effectively reverse engineer Windows software. I'm still learning and while I have a lifetime of learning to do on the topic, I chose to audit Ultrasurf as a challenge. This research was performed as a labor of love and it was funded work. My interest in reverse engineering Ultrasurf comes entirely because I have seen people promoting it without also offering evidence that it is safe. Additionally, a few people had asked me what I thought of the software and in order to form an opinion, I decided to dig deeper.

Ultrasurf is software produced by the UltraReach company for censorship circumvention, privacy, security and anonymity. Unfortunately for them, I found their claims to be overstated and I found a number of serious problems with Ultrasurf.

My report is available for download from the following link: https://media.torproject.org/misc/2012-04-16-ultrasurf-analysis.pdf

Most of my research was done while traveling in Brazil, Canada, Germany, and very small amount of it was performed in the US. Additionally, a number of interesting data points in my research paper came from interception devices in Syria. As of early April 2012, an independent tester confirmed many of my findings from China; the versions of Ultrasurf tested did directly connect to blocked addresses and did not in-fact work at all. Newer versions appear to have different, not yet blocked, addresses baked into the program.

I believe that coordinated disclosure is reasonable in most cases and I ensured that Ultrasurf was notified long before the publication of this blog post. I had a face to face meeting in early December of 2011 to discuss my findings with the lead developer of Ultrasurf and to give them time to fix the problems that I discovered. Ultrasurf updated their website to change a number of their security, privacy and anonymity claims; they did not actually remove all of the bogus claims, merely the most egregious statements. Our meeting was overall quite positive and in fact led me to write notes that may become a second paper.

However, for various reasons, I've had to sit silently on this report for nearly four full months after our December meeting. I believe it is important to ensure that the issues discovered and discussed in my paper are resolved and that users are not kept in harm's way. I have serious concerns about ongoing security issues for the users of Ultrasurf and that is my primary reason for wishing to perform and release this research for all to see.

Here's the abstract of the paper:
Ultrasurf is a proxy-based program promoted for Internet censorship circumvention. This report gives a technical analysis of the Ultrasurf software and network. We present the results of reverse engineering the Ultrasurf client program, give an in-depth study of the known Ultrasurf network, especially those portions that interface in some way with the client or the Internet, and discuss network signatures that would allow an adversary to detect its use on a network. We cover client bootstrapping methods, censorship and censorship resistance, anonymity, user tagging by Ultrasurf and other parties, cryptographic internals and other previously unknown or undiscovered details about the Ultrasurf client and the Ultrasurf network. We find that it is possible to monitor and block the use of Ultrasurf using commercial off-the-shelf software. In particular, BlueCoat sells software and hardware solutions with such capabilities that have been deployed in Syria and other countries.

The vulnerabilities presented in this paper are not merely theoretical in nature; they may present life-threatening danger in hostile situations. We recommend against the use of Ultrasurf for anonymity, security, privacy and Internet censorship circumvention.

The main substance of the paper takes the time to refute nearly all of the claims that UltraReach makes on their website about their software Ultrasurf:
This paper addresses the following claims by UltraReach and other Ultrasurf advocates about the Ultrasurf client and Ultrasurf network:

  1. “Ultrasurf enables users to browse any website freely” — refuted in Section 3.1
  2. “employs a decoying mechanism to thwart any tracing effort of its communication with its infrastructure.” — refuted in Section 5.13
  3. “Protect your privacy online with anonymous surfing and browsing. Ultrasurf hides your IP address, clears
    browsing history, cookies, and more.” — refuted in Section 6.2 and Section 6.3.
  4. “change IP addresses a million times an hour” — refuted in Section 6.1
  5. “Untraceable” — refuted in Section 6.10
  6. “Unblockable: Client uses wide array of discovery mechanisms to find an available proxy server and, when necessary, to switch/hop to avoid tracking/blocking” — refuted in Section 6.8
  7. “Invisible: Leaves no traces on the user’s computer, and its traffic is indistinguishable from normal access to HTTPS sites” — refuted in Section 5.12
  8. “Anonymous: No registration is requires [sic], and no personally identifying information collected” — refuted in Section 6.10
  9. “Tamperproof: Using privately-signed SSL certificates which dont depend on external, potentially compromised CAs (thus preempting MITM attacks), Ultrasurf proactively detects attempts by censors to reverse-engineer, sabotage, or otherwise interfere in the secure operation of the tool” — refuted in Section 5.8.

We conclude that each of these claims is false, incorrect, or misleading.

The issues involved in the writing, discussion and publication of this report are the stuff of movies. It has taken ages to publish this report and attempts at coordinated disclosure have been time consuming, largely fruitless and extremely frustrating. While some of the issues I have identified have been fixed, to the best of my knowledge the most important issues, such as a lack of forward secrecy, remain serious outstanding security issues. Ultrasurf often boasts of their decade long fight against censorship and while I respect the spirit of their efforts, I have a hard time respecting the technical implementation. I'm afraid that they've not had forward secrecy in their cryptographic protocol for that entire decade. Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested. These kinds of security failures, both social and technical, are simply negligent and it means that users have been and are likely still in harm's way.

I firmly believe that Ultrasurf must publish their full technical specifications, peer review their designs of both obfuscation and cryptography, open their source code for the world to review and they must absolutely discontinue all data retention without exception.

I hope you'll enjoy the research presented in the paper and that it will help everyone to move towards building a more secure set of options for users.

Update:
UltraReach/Ultrasurf have released a response document and a response page that confirms a number of my claims, side steps a large swath of them and then attacks me, Tor and others for the report. They specifically claim that what is true in my paper is for older versions of Ultrasurf. They do not disclose which versions or when the fixes were released. This is a typical vendor tactic considering that they pressured me not to release the report until they felt they were given enough time to fix the issues involved. They also believe that I claim that Ultrasurf was broken but at no time did I ever claim it was broken; rather, I said it has problems. The claims they made and make do not live up to the implementation of policies or technical capabilities. This I think is quite reasonable because their claims were, frankly, entirely unreasonable.

I put a great deal of time and effort into disclosing these report findings to Ultrasurf - both what would be considered responsible and coordinated - it's too bad that they've decided to ignore most of the findings and to attack me over the undefendable issues.

Another Update: Collin Anderson has written up his view of the disclosure process. He is an independently involved third party that attempted to mediate our disclosure, solutions and a reasonable time frame for all parties involved.

Anonymous

April 16, 2012

Permalink

"Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested."

lolwut? I'll still check your paper to see how you figure it out but otherwise, screw those guys.

Anonymous

April 16, 2012

Permalink

any idea when the new tor bundles are coming out, please within the next 2 days!!!

Anonymous

April 16, 2012

Permalink

Did you mean to write "funded" or "unfunded"? A funded labor of love?

It was funded work. However, I spent a ton of time learning about Windows reversing and other issues in my spare time. I wouldn't have stuck with the project if I hadn't felt personally interested in the topic.

Anonymous

April 16, 2012

Permalink

You won't be taken seriously without two things: disclosure of funding, and peer review.

So, please disclose funding. I was going to also ask why this wasn't published somewhere other than a blog... then I read it. There's no science here. No evidence, no reproducible results. It's basically a long rant. Links to other people's work, mixed with opinions.

Submit this to PETS. I dare you. :)

It's on the Tor blog, I work for Tor. Though most of the work was done by not having weekends or evenings. As far as peer review - I've just done the peer review of Ultrasurf's claims and I encourage them to submit _their_ work for peer review.

You're absolutely able to reproduce the report's results - look at the packet traces, look at what is written to disk, run the binaries in the Appendix and watch the communication with the network blocks listed, crash the program and disassemble the core files, etc.

In any case, I have discussed my results with Ultrasurf and others, including the DETER lab at UC Berkeley, where Ultrasurf confirmed nearly every single issue in the paper, as we went over it, line by line. We've also disputed things at times, obviously. They think that running a single hop proxy is reasonable with data centers in the US - I think that's a rather crazy idea, personally.

In any case, Ultrasurf has actually changed a few things and I'm happy to see the few minor changes that have been made in the last five months. However, I'm quite sad that they're shipping proprietary tools, without peer review, that they were using Google data analytics, that they're unable to patch their server software in timely manner and so forth. I'm glad they removed the Google analytics cookie but ironically, they still tag users with a Youtube cookie on their front page. :(

Ultimately, I think the authors of Ultrasurf have their hearts in the right place but without opening up the details, I want to see concrete proof that they have a solid design, not simply assertions about a perfect system, especially with their data retention issues. They've scaled back a few of their claims on their website, which I think is a nice thing, but I'd like to see some technical specifications rather than hand waving.

I won't submit the paper to PETS or HOTPETS because I missed the deadline. It makes no sense to wait another full year to wait to disclose the paper.

There's a six page limit for FOCI (which well, I'm on the PC for as well) - I suppose it's possible with my other two submissions but those come first, I think. It's a good suggestion but I suspect I'll end up hashing it out in real time online.

Please note that Ultrasurf replied, confirmed a bunch of my statements, made it a mud slinging battle and then entirely ignored entire swaths of the paper because they didn't understand it at all:
http://ultrasurf.us/Ultrasurf-response-to-Tor-definitive-review.pdf

I suggest you read that response and tell me if it sits right with you?

There is one thing you want to make it clear. Tor is competing fund with Ultrasurf, right? That will explain everything. Why you spent so many hours not enhancing your system and serve your users, but attacking another system. I will respect you if Tor can allow millions of Chinese users to break the firewall. I challenge you to release your daily traffic statistic and compare with what Ultrasurf has. Sigh, what a waste of time.

Anonymous

April 16, 2012

Permalink

Ha.Just finish reading your paper. But at least users in China could treat it as a open proxy to access encrypted versions of Facebook twitter, read news or merely get other circumventing tools

An open proxy that broadcasts the fact that you're using Ultrasurf by spamming out weird "chaff" HTTPS requests? An open proxy that auto-updates itself to whatever the Chinese firewall tells it to download?

No thanks. Everyone should steer the f*ck clear of this terrible software.

Funny point about those Chaff requests? They're fetched by IE outside of the proxy - so - if you have a remote way to exploit IE on the client side, you can use the Chaff requests as a way to own the user's machine outside of Ultrasurf entirely. This is an architectural issue that is handwaved away and well, I think it's rather serious.

Anonymous

April 17, 2012

Permalink

From ultrasurfs response:

"We wish that Tor had approached us first so that we could use the information in the Tor paper as part of our continuing effort to improve user security."

ioerror tells us he contacted ultrasurf 10 months ago. Somebody is not being honest. Who do you trust? :)

Ultrasurf agrees that I met with them in person. That meeting happened in Berkeley during December of last year. It took quite a lot of effort for that meeting to happen and I flew to California to make the meeting.

Anonymous

April 17, 2012

Permalink

There's a paragraph in the Ultrasurf response that is, I think, worth repeating here, as it's pretty serious stuff:

"Moreover, we find Tor’s approach to be disingenuous; while they purport to want to protect Ultrasurf users, their chosen approach is to publicly release a detailed and explicit description of perceived vulnerabilities. Were it not for the fact that the security vulnerabilities identified have either already been closed or are superficial, this would be tantamount to providing oppressive governments with a roadmap to monitor our users and acquire their information."

I'm interested in your reply. Also, is it true that Tor and Ultrasurf compete for funding from the same agencies?

If Jake with very little resources is able to publish this report, you should assume that many other entities have already done so without publishing their work!

I am referring to Iran, Syria and China's intelligence services!!!!

Right, except the point of Ultrasurf's response is that, in the last decade, these governments have not been able to either block Ultrasurf or intercept user data, despite devoting considerable resources to the task. Is there any evidence that this is not the case?

The Enigma machine was doing pretty well for a while too.

One problem is that an attacker can track their users - there is evidence in Syria of this as provided in the paper - Ultrasurf pretended this was impossible. That is a silly claim. The point is that basically, nothing is undetectable, to claim it is really really sketchy.

Another problem is that they run centralized servers which have been remotely vulnerable and certainly, they're vulnerable to local take over - if you can compromise them - you can push out fake updates or just read log data.

As far as code execution bugs, I hope you're not telling me that I need to write an exploit and own people before you'll believe that it's a problem?

An important question is about process, not about perfection - did they even know these things were possible? What processes did they implement to test to see if they were compromised? Have they ever detected such an attempt? Is this verified by any third party?

Furthermore, I firmly believe it is important to note that they do not consider logging and disclosing those logs under a "legal" process to be a vulnerability. That alone should be cause for alarm but it isn't alone, the other points are still also an issue.

What I find amazing is that the authors of Ultrasurf, a product designed to protect you from state-level oppressive regimes, are complaining about research performed by one person over the course of a few months. It's not a huge leap to expect that if China wanted to figure out how Ultrasurf worked, and attack it, it could do so quite easily.

The security problems identified in Ultrasurf are not superficial. The entire protocol has horrible security flaws in it. If your adversary is China and controls the firewall, at the very least they can easily pinpoint Ultrasurf users through its DNS query signature and weird HTTPS "chaff" requests. At worst, they might be able to hijack the auto-update function and put their own modified version of Ultrasurf onto users' computers.

Read the Tor report, all the way through. It's not superficial stuff, it's basic, core, huge problems with the way Ultrasurf is designed.

I don't feel like we compete but there is almost certainly a funding overlap. I don't actually know very much about the details of Ultrasurf funding but I've heard it is an obscene amount of money for the result. I encourage you to look into the funding sources of Ultrasurf and decide for yourself.

Our financials are posted on our website here: https://www.torproject.org/about/financials.html.en

As far as the details in the report, the main author "Clint" thanked me for not releasing more information. As an example, I believed that there were static cryptographic keys embedded in the Ultrasurf program and "Clint" confirmed this statement. I did not put those keys or anything that looks like a cryptographic key into the paper; nor did I release snort signatures for their obvious and easy to fingerprint DNS queries. I did not release information from our meeting that I felt would be useful to an attacker to harm users but I did release enough information to show that their claims were simply unreasonable.

The authors of Ultrasurf believe that security through obscurity is a reasonable method of defense. I do not believe that an actual Windows reverse engineer would be thwarted by their packer or by any of their attempts at hiding their protocols or other insecurely embedded-in-the-binary data.

I think that telling people about the state of a thing is important and I state very clearly that I'm not some super hacker who broke the internet or Ultrasurf - I found problems, some of which are now corrected, some of which are still not corrected, many of which needed to be disclosed - not the least of which is their data retention/disclosure policy and their lack of forward secrecy. I believe publication of this report will ensure that those two issues are resolved in a safe way and that delay in fact would not help users currently in harm's way.

Anonymous

April 17, 2012

Permalink

This could be one big laugh, but it's not funny.

UltraSurf, FreeGate and the whole lot of other non-open source and/or one-hop proxies are a detriment to anonymity and privacy for threatened users.

Jacob provided a technical overview of their weaknesses. The reply to Jacob vaguely lists "RSA, RC4, etc." as some cure-all, their developers need to go back and read https://en.wikipedia.org/wiki/Kerckhoffs%27_principle. There is a reason that the vast majority of cryptographers, in addition to any sane security practitioner, holds those value dear.

Vagueness has no place in the implementation of an anonymity service.

It ain't just about buzzwords and claims. It's about design and public review.

Hal Roberts and others at the Berkman Center at Havard (http://blogs.law.harvard.edu/hroberts/) were a little too nice to tools like UltraSurf (formerly Ultrareach) in their 2007 report at http://cyber.law.harvard.edu/publications/2009/2007_Circumvention_Lands…. Maybe telling it like it is would have allayed some of the UltraSurf's developers' "dismay" at Jacob's critique.

A more brutal critique was in order in 2007, like what detracted Haystack http://www.economist.com/node/17043440 in 2007.

To the many who UltraSurf claims as users, please stop. You're putting your trust in a rather shady outfit that doesn't understand the very basics of anonymity services, much less secure software development.

Bravo, Jacob. Now move on to the next crap proxy "solution" please. It might mean someone's life.

Anonymous

April 17, 2012

Permalink

This is Collin Anderson (@CDA), I wrote some notes about this on my blog, which I share in whole here.

-----------------------
Having been a party to the disclosure process, there were a number of occasions where communications broke down due to differences of definitions and intent. I had offered to review any draft of Ultrasurf’s response, however, it appears that they chose to publish without consultation. Throughout its existence, Ultrasurf’s support and funding has been hampered by the politics of US-Chinese foreign relations, and this document should be read as a political, rather than technical, rebuttal. The vendor was asked to provide an official, detailed response with the specific intent of correcting outdated information, but declined to do so and quietly updated the client recently. The vendor’s statement, in a bit of a crass fashion, brings up the issue of language barriers, a point that is exacerbated by the Tor paper and Ultrasurf reply having two separate audiences, so let me correct some of these miscommunications.

“We have pointed out to Tor that the paper does not reflect current versions of Ultrasurf. Unfortunately, the Tor project did not choose to accurately report information in its paper.”

The version that incorporates the latest changes (12.01) was quietly released at the beginning of the week to coincide with the release of the paper.

“Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested.”

There are two separate issues in play here: traceability and logging. The latter was disclosed voluntarily by the vendor on a number of occasions and in the statement “Ultrasurf has never disclosed log files to the US government without a warrant.” Here their statement is incomplete as it does not address subpoenas or national security letters, as I understand, they have complied with the former and the latter I am not sure they are allowed to acknowledge. Ultrasurf’s threat model is solely obsessed with the police of authoritarian states, as Chinese expatriates, their understanding of American law not as nuanced and do not seem to be a substantial risk. Ultrasurf has previously presented data at private conferences were IP addresses were visible, however, they now assert that such demonstrates show country code, rather than address. The vendor categorically states under no other conditions was such information made available. This, and Google, form the basis of both parties opposing claims on log disclosure.

The traceability issue comes into play with the following statement:

“Tor provides no evidence that BlueCoat sells software and hardware that can break Ultrasurf.”

At times Ultrasurf has conflated traceability with claims of decryption. From Jacob’s paper and vendor disclosure, it appears that Ultrasurf uses standard encryption mechanisms that, if properly implemented, are considered reasonably secure. This obviously differs greatly from detecting Ultrasurf in transit, which Blue Coat and others have claimed to do. Using the traffic noted in §5.8 and §5.13 as indicators, it becomes easy to see how trivial the process of spotting Ultrasurf users can be. I would encourage anyone who is skeptical to try with the Telecomix logs. In fact, Ultrasurf themselves note “we do not claim that Ultrasurf is untraceable,” a claim that I believe was removed in the website revisions that resulted from both parties’ December meeting.

“For us, one of the most puzzling claims by the Tor researchers is that Ultrasurf is blocked in China.”

Difference of definition on the part of Tor and Ultrasurf. Ultrasurf releases new clients with new bootstraps in response to blocking — it is an aggressive mechanism of deploying new entry nodes that I am impressed seems to work reasonably well for them. However, the exit node IP pool has been consistent for several years and pretty easy to block. The same issue of definitions come up in whether Ultrasurf is one hop or two, but that is a digression that gets into infrastructure details that I will follow the vendor’s request not to disclose.

“We wish that Tor had approached us first so that we could use the information in the Tor paper as part of our continuing effort to improve user security.”

“Somebody is not being honest. Who do you trust?” – Tor Blog Comment

I believe Ultrasurf is referring to the final copy of the paper, which they received about a week and a half ago. However, as I am aware Ultrasurf was told all the details during a private meeting in December. As I was aware of the contents of the paper, the key points were discussed between myself and the vendor in March to ensure that the users would not be affected by the release of the paper.

“Moreover, we find Tor’s approach to be disingenuous; while they purport to want to protect Ultrasurf users, their chosen approach is to publicly release a detailed and explicit description of perceived vulnerabilities. Were it not for the fact that the security vulnerabilities identified have either already been closed or are superficial, this would be tantamount to providing oppressive governments with a roadmap to monitor our users and acquire their information.”

“I’m interested in your reply. Also, is it true that Tor and Ultrasurf compete for funding from the same agencies?” – Tor Blog Comment

My understanding was that these agencies have been encouraging a security review and offering technical assistance to all recipients of Internet Freedom funding. However, where intention matters is when it comes to rhetoric, the technical results of the paper cannot not be decided by where the author has benevolent or malicious intent. I regret Ultrasurf’s framing of this process, as I was a party to ensuring that the most significant holes were patched before the release of the paper. If the author’s motives were not intended to be responsible or constructive, the vendor would not have been given five months to close the most serious holes. The simple fact of the matter is that the majority of these issues were fixed within a short window of lead up to the publication and are directly attributable to Tor’s paper.

In the end, I believe the simple answer is for Ultrasurf is to remove its branding as a privacy service and participate more openly within the security research community. From my experience studying privacy and circumvention tool use, I suspect most of its users would not mind Google Analytics, et al if they were made aware. In countries such as Iran where proxy service use is common, even detectability is not a substantial issue. The issue is that the majority of the problems raised and remaining run contrary to the advertising claims made by Ultrasurf. There is certainly a space for tools that exist solely to connect people in repressive regimes to Facebook and Youtube. However, this does not negate the responsibility to disclose user risk and maintain the integrity of infrastructure. There are historical circumstances that have encouraged Ultrasurf to behave in a closed manner, none of which imply they act in bad-faith; I spent quite a deal of time with the hope that this first round of exchange continues with independent verification of the claims made in their statement and based on technical merits, rather than politics.

Anonymous

April 18, 2012

Permalink

Forget about Ultrasurf.

Tor = Open Source + peer review + honest about it's weaknesses + no censorship in comments or mailinglist (not even false assumptions and conspiracy theories are censored)

Ultrasurf = nothing like that. You can't even leave a comment on their site.

Not Open Source? No good network documentation? Don't even bother with such services. Leave that for people with lower anonymity needs.

Anonymous

April 18, 2012

Permalink

@Collin Anderson
Thank you for the information, Ultrasurf as a brand is a scam, I think.

"From my experience studying privacy and circumvention tool use, I suspect most of its users would not mind Google Analytics"

But it seems that Tor Project users might as easy be unprotected from this cross-site tracking, what have I missed?

@Tor Project developers I have a few notes, questions and propositions. Please answer and don't take my critical view too personal, I admire what the Tor Project is doing for us.

Could you, please, suggest (in the FAQ, tutorial, via pre-installed extension, in any effective way) the tool to use with the TBB for blocking the cross-site tracking like Google Analytics do?

I have read the https://trac.torproject.org/projects/tor/ticket/3007
and I understand the fingerprinting issue from the https://panopticlick.eff.org/ research (https://panopticlick.eff.org/browser-uniqueness.pdf)

However, by what I have noticed from a 1+ year of the TBB usage, the Google and most of the other majors in tracking know or easily might know from the users IP that the user is a Tor network user. Majority of the Internet sites use a JavaScript or JavaScript+Cookies trackers from these major vendors.

While the site (server) might not separate the Tor user activity from other users activity, I think the trackers that exist on the sites will realize the Tor-in-usage, will track and could de-obfuscate the users activity on a certain Tor exit node IP identity (or, given the stored cookies, on a few more, even if I change the identity clicking the "New Identity", am I wrong?).

A few hot questions:
How often should I click "New Identity" and how often the Identity changes, how it affects the cookies and trackers from the page I am on, while clicking?

Why this important feature doesn't documented properly in FAQ, Help, Wiki, or what am I missing?

I think that community need the option of the open-source, state-of-the art, auto-updated (somehow, cleverly) "Trackers Blocker", provided as a default in TBB,
because:

1. Potentially, for the site-owners that want to obtain the exhausting browser-activity log of the user, it would be easier to obtain it from the Tracking Vendor they are working with (there are so many, with so many policies) than as a result of a more sophisticated attacks that, as I read this blog, the Tor Project is successfully defeating. Especially not effective could be the obfuscating of Tor network usage from the Major Tracking Vendors as their work is usually in detecting proxies and other tools that mess with the tracking results and Tor is considered as such.

2. I think that Tor Exit nodes are continuously "compromised". I think that there are and there would always be the lists with the Tor Exit IPs (among other), so it would became less and less effective to obfuscate from the web servers the Tor usage by the client. Moreover the fact that the IP is clearly Tor's could protect somebody from the prosecution or black-listing that otherwise may not be done.

3. I understand that TBB with the "Trackers Blocker" enabled would de-obfuscate the usage of Tor network even more, but without the default "Trackers Blocker" the "fingerprint" of the desperate "Other Trackers Blocker" user of TBB now is endangered.
The current closed proprietary Blockers Vendors offer possibly insecure databases, APIs, trace-able update schemes, and the source-code itself, users still forming the variety of the fingerprints.

(4. OMG! I can't find any up-to-date open-source not-for-profit foundation based web Trackers Blocker in use or even existence!)

Another problem I see is that the current Tor Browser Bundle usage could be dangerous because the user may be unaware as I was that ISP if needed, could with high success probability look-up if the user uses or have used the Tor network at all, by obtaining the public relays list. Am I wrong? Is this being addressed currently by forcing the hidden bridges for the entry-relays of the user, or that user due to the lack of the bridges connects to the public relay or using both the variants, occasionally? Excuse me if I missed that information from your site.

If he (the TBB user on default configuration) does connect to the public relays addresses, I think the Tor Project should explicitly state a warning note in which the Tor Project should explain these two most important kinds (to the public relays, the hidden bridges) of the TBB connection and why the user from the oppressed places should think at first and then decide if he should use bridges exclusively or he could open the fact that he use the Tor Network to the ISP and since, use the public relays exclusively. If you could explain the statistics of the current Tor network to the nodes maintainers and explain if the newcomers should better start a bridge or what, given the current live statistics and Tor development strategy, the better would be the result for all kinds of the Tor usage.

That is why I'm asking you, Tor Project developers, please consider these points and consider to ask the community if it is time and if there are willing to stand up in the light, proudly, as the most protected Internet users and if there is a demand to have another clear and easy option to act as the most "un-conspicuous" "average" Internet users.

Maybe you could provide a couple of Browser launch "modes" like

"De-fault protection"
like the TBB is now but with a clear choice for the entry-node-privacy, when one could understand the difference of using hidden entry bridges forever and chose wisely if this mode is for him. Without No-Script and HTTPS as they are adding to the fingerprinting, aren't they?

"Proudly private browsing"
with and without "Trackers blocker" and "Ads blocker" as a part. These should be the very best and of one type to prevent (by proposing the one strongest implementation) the fingerprinting of in-use Blockers themselves. Also providing No-Script and HTTPS, sending the clear Do-Not-Track header messages. Still asking for the hidden entry-bridge-node as a default, if it is in a way with the current Tor Project or using the non-hidden way, being completely proud of the security measures but completely aware of that the ISP might know your choice as well.
??

Already maintaining the separate obfuscating proxy and all these packages for the various platforms, I think the Tor Project could be able to produce these few other variants also.

Another point for the blocking of the cross-site tracking is that user may use the same logged in account on some popular and tracking-enabled service, even so he always have used the TBB with it, not realizing that the Big Tracker is often tracks him on many other sites and finally have the comprehensive activity log anyway.
Here is the official Facebook to the EFF statement on the tracking problem, I think they know the topic:

"Our intentions stand in stark contrast to the many ad networks and data brokers that deliberately and, in many cases, surreptitiously track people to create profiles of their behavior, sell that content to the highest bidder, or use that content to target ads on sites across the Internet."
https://www.eff.org/deeplinks/2011/10/facebook%E2%80%99s-hotel-californ…

Almost none of your comments make any sense to me - the list of exit node IP addresses is public and will always be public. We must assume that the exit nodes are known to be Tor and move on from that point. If it wasn't an assumption, we'd wrong. Bad guys can always use the network and make such a list - so why even pretend to hide it? It's silly. We must threat model around reality, right?

I think you have some interesting questions but it's pretty hard to dig those out - perhaps consider emailing us about Tor related issues rather than putting these questions in the Ultrasurf thread. Pretty please? :)

@ioerror

I'm not at all a native English speaker, please excuse my cumbersome style.

What I'v tried to point out is the https://www.mozilla.org/en-US/collusion/demo/ kind of tracking and that Tor Project needs to deal with this problem somehow and I have proposed the variant to deal with the problem and tried to show that the problem is worse without the built-in Trackers Blocker than with it.

"We must assume that the exit nodes are known to be Tor and move on from that point."

fine, "so it would became less and less effective to obfuscate from the web servers the Tor usage by the client."
so, Tor Browser Bundle could be enhanced with some default anti-tracker, why not?

The message was written here because I have thought that the biggest Ultrasurf and Ultrasurf-of-kinds problem is, particularly, in that the user think that the package provides him the unmatched privacy and security and in fact it isn't and what is worse it isn't in a confusing and nontransparent conditions. TBB without some fine Trackers Blocker now is acting on the same stage.

@mikeperry

Thanks a lot for the answer, yes, most of my privacy concerns with the current TBB were described there, and now I see the https://trac.torproject.org/projects/tor/ticket/3059
great job, keep on please!

Please, also understand that the biggest, almost the whole point of my post was the absence of the Enabled or even Recommended Trackers Blocker and the proposition for immediate dealing with this major problem.

See, the https://www.torproject.org/projects/torbrowser/design/ states in
3.5. Cross-Origin Identifier Unlinkability
"The Tor Browser MUST prevent a user's activity on one site from being linked to their activity on another site. When this goal cannot yet be met with an existing web technology, that technology or functionality is disabled."
And in my opinion the tech functionality is here in the form of the variety of 3rd party plugins that people from the Tor community are using and that is actually a poor choice as that could add to the fingerprinting (and now I know "Design Goal: All plugins that have not been specifically audited or sandboxed MUST be disabled."), so the Tor Project really needs to state clearly the best 3rd party option for people to use or enable some solution by default or both, like I have tried to describe in my message.

I understand that the document you gave the link for is a DRAFT, however
3.7. Long-Term Unlinkability via "New Identity" button

states that

Implementation Status: First, Torbutton disables all open tabs and windows by tagging them and blocking them via the nsIContentPolicy, and then closes each tab and window.

and that really confuses me and people I have asked! Could you tell and state somewhere on the light of TBB part of the site, clearly what does "New Identity" button do for the New Identity functionality? Does it block the existing cookies making them a useless bugs or it only changes the exit IP or entrance IP as well, or else? Please understand that the explanation needs to be done for the usual non tech-savvy users that just want their protection from the project.

Anyway, your work is great guys, just the TBB is moving too slow and it isn't really as privacy-protecting as from what I see now. It is great that Tor Project is hiring as there are so many planned work to be done.

I believe most of your privacy concerns are addressed by the TBB design:
https://www.torproject.org/projects/torbrowser/design/#DesignRequiremen…

In particular, please read the privacy and philosophy subsections:
https://www.torproject.org/projects/torbrowser/design/#privacy
and
https://www.torproject.org/projects/torbrowser/design/#philosophy

See https://trac.torproject.org/projects/tor/ticket/5294 for the ticket to transform this information into a user-readable document.

If you're wondering why a ticket with "Major" priority could go unfinished for so long, please see the ticket queues for Tor Browser and despair:
https://trac.torproject.org/projects/tor/report/38
https://trac.torproject.org/projects/tor/report/39

The project sure could use help, especially for correcting documentation issues like the ones you point out.

Holy cow! I wish I spoke Mandarin - I could have really used that research! Do you have a full copy of the PDF?

Anonymous

April 18, 2012

Permalink

When you see a country not shutting down a security solution, please don't assume it means it's working. If it is working, every effort will be made to entirely shut it down. However, if it can be compromised, not only will it not be shut down, but it may even be promoted over other solutions that would be more secure, so that a false sense of security can be instilled and monitoring can be maintained. No government such as Syria or China has interests in weeding out the mediocre solutions. Any solution with proprietary code they can compromise, back door, monitor, reverse engineer, MITM, or reasonably attack that is not even this far into peer review is giving them comfort.

Mostly this "cyberwar" stuff is used as a screen to protect financial interests, but places like Syria security and anonymity software is probably protecting - or failing to protect - lives today. I understand from the LiberationTech email list at Stanford that Ultrasurf is very popular there. So, this argument is more than, shall we say, academic.

Speaking for myself, but with the bias and knowledge (and occasional sigh of relief) of being former exec dir of Tor.

Shava Nerad

Anonymous

April 18, 2012

Permalink

help.html of the current version of Ultrasurf:

"UltraReach Internet Corporation’s next-level solutions as well as real time performance has proven that our system and services are far superior to other existing technologies. Our anti-blocking power, connection and re-connection capabilities and the ability to serve and maintain a very large number of users throughout the world, in countries subjected by their governments to Internet censorship, set us apart. We are the clear leader in Internet anti-jamming technology and among service providers.

Copyright: UltraReach Internet Corporation (C) 2002-2011"

People wake up . . . Its never too late.

Reason being that is because the Chinese actually can see what their citizens are up to using UltraSurf. But with TOR they cannot, so they block it. Why block something that doesn't work like it should when its better to leave it unblocked so they can steal information and then act on it?

Anonymous

April 18, 2012

Permalink

I am in Syria , and this report is worrying , i myself uses the latest snapshot of tor alone in linux , but my sister and most of the ppl that i know uses ultrasurf because it is simply much tech-dumb-proof.
and because the tor bundle disable the use of flash & js , while ultra-surf doesn't. so they think that tor is broken without knowing the full story.

I tell them , but we Arabs LOVES flash and most Arabic sites(even political ones) are laden with flashy whistles and animation like a Las Vegas casino, so most Arabic websites wont function without those plugin ,
I myself uses iptables to disallow anything to go though the clear and force it to pipe through tor, but in windows (which everyone else uses) i usually install a cracked firewall (called ashampoo) software to prevent any miss behaved plugin/software but tor from reaching to the web.
i am not sure how secure is that through

Anonymous

April 19, 2012

Permalink

i think Tor needs to work on getting flash and javascript working in a safe manner.
you cant just disable them and be done.

Years ago I wandered into the rec.martial-arts newsgroup on the old Usenet. There I saw something I'll never forget: a 500+ post thread entitled "Who would win in a fight between Mike Tyson and Bruce Lee?" People had all sorts of beliefs and theories about how to answer that question. But one thing was clear: if you go into a serious dojo and start talking smack about this school or that technique, rather soon you'll be expected to demonstrate it "on the mat". Consequently, while there's no limit to the BSing on the internet, there's a real upper limit to the talk in a serious dojo.

So we coud suppose and philosophize and criticise about motivations all day. But thankfully, data security gives us a simple down-to-earth standard of discourse which renders that unnecessary. This gold standard is something called a "working exploit".

Admittedly this will not be clear to the nontechnical reader, but there were several points in this report where Jacob demonstrated his ability to deliver that knockout blow, i.e., develop and release actual software tools to prove these claims unambiguously. That he didn't is evidence of his restraint (clearly this debate would be much shorter had he done so).

I think he didn't because he didn't want to expose Ultrasurf's users to any more risk than necessary, and perhaps even in the hope that Ultraurf would use the constructive criticism to improve their system. But if, as the vendor would seem to imply, the Ultrasurf system is useful to defend nontechnical users from nation-state attackers then Jacob's report is the politest and most beneficent "slamming" they (or their users) are ever likely to get.