Ultrasurf: the definitive review

In the summer of 2011, I spent a few months learning how to effectively reverse engineer Windows software. I'm still learning and while I have a lifetime of learning to do on the topic, I chose to audit Ultrasurf as a challenge. This research was performed as a labor of love and it was funded work. My interest in reverse engineering Ultrasurf comes entirely because I have seen people promoting it without also offering evidence that it is safe. Additionally, a few people had asked me what I thought of the software and in order to form an opinion, I decided to dig deeper.

Ultrasurf is software produced by the UltraReach company for censorship circumvention, privacy, security and anonymity. Unfortunately for them, I found their claims to be overstated and I found a number of serious problems with Ultrasurf.

My report is available for download from the following link: https://media.torproject.org/misc/2012-04-16-ultrasurf-analysis.pdf

Most of my research was done while traveling in Brazil, Canada, Germany, and very small amount of it was performed in the US. Additionally, a number of interesting data points in my research paper came from interception devices in Syria. As of early April 2012, an independent tester confirmed many of my findings from China; the versions of Ultrasurf tested did directly connect to blocked addresses and did not in-fact work at all. Newer versions appear to have different, not yet blocked, addresses baked into the program.

I believe that coordinated disclosure is reasonable in most cases and I ensured that Ultrasurf was notified long before the publication of this blog post. I had a face to face meeting in early December of 2011 to discuss my findings with the lead developer of Ultrasurf and to give them time to fix the problems that I discovered. Ultrasurf updated their website to change a number of their security, privacy and anonymity claims; they did not actually remove all of the bogus claims, merely the most egregious statements. Our meeting was overall quite positive and in fact led me to write notes that may become a second paper.

However, for various reasons, I've had to sit silently on this report for nearly four full months after our December meeting. I believe it is important to ensure that the issues discovered and discussed in my paper are resolved and that users are not kept in harm's way. I have serious concerns about ongoing security issues for the users of Ultrasurf and that is my primary reason for wishing to perform and release this research for all to see.

Here's the abstract of the paper:
Ultrasurf is a proxy-based program promoted for Internet censorship circumvention. This report gives a technical analysis of the Ultrasurf software and network. We present the results of reverse engineering the Ultrasurf client program, give an in-depth study of the known Ultrasurf network, especially those portions that interface in some way with the client or the Internet, and discuss network signatures that would allow an adversary to detect its use on a network. We cover client bootstrapping methods, censorship and censorship resistance, anonymity, user tagging by Ultrasurf and other parties, cryptographic internals and other previously unknown or undiscovered details about the Ultrasurf client and the Ultrasurf network. We find that it is possible to monitor and block the use of Ultrasurf using commercial off-the-shelf software. In particular, BlueCoat sells software and hardware solutions with such capabilities that have been deployed in Syria and other countries.

The vulnerabilities presented in this paper are not merely theoretical in nature; they may present life-threatening danger in hostile situations. We recommend against the use of Ultrasurf for anonymity, security, privacy and Internet censorship circumvention.

The main substance of the paper takes the time to refute nearly all of the claims that UltraReach makes on their website about their software Ultrasurf:
This paper addresses the following claims by UltraReach and other Ultrasurf advocates about the Ultrasurf client and Ultrasurf network:

  1. “Ultrasurf enables users to browse any website freely” — refuted in Section 3.1
  2. “employs a decoying mechanism to thwart any tracing effort of its communication with its infrastructure.” — refuted in Section 5.13
  3. “Protect your privacy online with anonymous surfing and browsing. Ultrasurf hides your IP address, clears
    browsing history, cookies, and more.” — refuted in Section 6.2 and Section 6.3.
  4. “change IP addresses a million times an hour” — refuted in Section 6.1
  5. “Untraceable” — refuted in Section 6.10
  6. “Unblockable: Client uses wide array of discovery mechanisms to find an available proxy server and, when necessary, to switch/hop to avoid tracking/blocking” — refuted in Section 6.8
  7. “Invisible: Leaves no traces on the user’s computer, and its traffic is indistinguishable from normal access to HTTPS sites” — refuted in Section 5.12
  8. “Anonymous: No registration is requires [sic], and no personally identifying information collected” — refuted in Section 6.10
  9. “Tamperproof: Using privately-signed SSL certificates which dont depend on external, potentially compromised CAs (thus preempting MITM attacks), Ultrasurf proactively detects attempts by censors to reverse-engineer, sabotage, or otherwise interfere in the secure operation of the tool” — refuted in Section 5.8.

We conclude that each of these claims is false, incorrect, or misleading.

The issues involved in the writing, discussion and publication of this report are the stuff of movies. It has taken ages to publish this report and attempts at coordinated disclosure have been time consuming, largely fruitless and extremely frustrating. While some of the issues I have identified have been fixed, to the best of my knowledge the most important issues, such as a lack of forward secrecy, remain serious outstanding security issues. Ultrasurf often boasts of their decade long fight against censorship and while I respect the spirit of their efforts, I have a hard time respecting the technical implementation. I'm afraid that they've not had forward secrecy in their cryptographic protocol for that entire decade. Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested. These kinds of security failures, both social and technical, are simply negligent and it means that users have been and are likely still in harm's way.

I firmly believe that Ultrasurf must publish their full technical specifications, peer review their designs of both obfuscation and cryptography, open their source code for the world to review and they must absolutely discontinue all data retention without exception.

I hope you'll enjoy the research presented in the paper and that it will help everyone to move towards building a more secure set of options for users.

Update:
UltraReach/Ultrasurf have released a response document and a response page that confirms a number of my claims, side steps a large swath of them and then attacks me, Tor and others for the report. They specifically claim that what is true in my paper is for older versions of Ultrasurf. They do not disclose which versions or when the fixes were released. This is a typical vendor tactic considering that they pressured me not to release the report until they felt they were given enough time to fix the issues involved. They also believe that I claim that Ultrasurf was broken but at no time did I ever claim it was broken; rather, I said it has problems. The claims they made and make do not live up to the implementation of policies or technical capabilities. This I think is quite reasonable because their claims were, frankly, entirely unreasonable.

I put a great deal of time and effort into disclosing these report findings to Ultrasurf - both what would be considered responsible and coordinated - it's too bad that they've decided to ignore most of the findings and to attack me over the undefendable issues.

Another Update: Collin Anderson has written up his view of the disclosure process. He is an independently involved third party that attempted to mediate our disclosure, solutions and a reasonable time frame for all parties involved.

Or proof in fact he didn't really have the working exploit.

There you go again impugning altruism to someone who coercively outs his political enemies in the Internet freedom game.

Then there's this: if Jacob really had found "the same thing that the Chinese government already found" then how come the Chinese government hasn't massively deployed it?

Catherine A. Fitzpatrick

Here is a report from 2009 that finds similar issues and actually, because they're not friendly to Ultrasurf, discloses more detail: https://www.scribd.com/doc/90338145/UltraSurf-analysis-by-Zhang-Lei-in-…

If the Chinese want to harm Ultrasurf users, I believe they could do so - to answer your question - "why haven't they done so?" - how do you know they haven't?

Simply because I assert it is possible, you've decided that the opposite is true?

Your blog posts don't really debunk any of the specific things Jacob Appelbaum talks about. Your blog posts sound much more like a personal attack on him than what he wrote about ultrasurf. The reply from the Ultrasurf developers is so vague and has no value. It sounds like you were seriously hurt (personally, financially?) by Jacobs review (or "critique") of Ultrasurf.

I have nothing to do with Ultrasurf, have no financial or personal interest in this or any circumvention software, and am just blogging on these issues as I have for seven years.

I sense there's a lot more to this story that the public has a right to know.

I wish UltraSurf didn't go to these lengths to hire someone to slam ioerror. Why not work with us? No harm in adopting ideas from the TOR project for use in the product.

You're accusing UltraSurf of "hiring someone to slam ioerror" without presenting any evidence for it. If "we" (i.e., those of us who support ioerror's paper on its merits) don't like it when others use such a tactic, we ought not do it ourself.

Again, I have no financial or personal interest in Ultrasurf or any circumvention technology, I am not "hired" by anybody (is that how you guys do it yourselves?). I am merely blogging on these issues as I have for seven years. I have no need to work on these projects and I don't believe ioerror has credibility after the way I have seem him behave in debates and in activities like the release of "Collateral Murder" and how it was tendentious framed.

The public has a right to know.

Catherine A. Fitzpatrick

Ah, so you admit it - you're simply here to slam my report, that you do not understand, because you dislike WikiLeaks and because I refused to engage you in a debate on Twitter?

Kindly take this nonsense elsewhere Catherine A. Fitzpatrick. This is a blog post about Ultrasurf and not about your political views regarding WikiLeaks or your personal hatred for me.

The public has a right to know and when you have something factual to say about Ultrasurf - feel free to come back and share it!

Seth Schoen

April 20, 2012

Permalink

It's very simple.

Tor vs. Ultrasurf: Tor wins.

Tor is better for circumvention, privacy, security, etc. etc. Also, It's easy to configure Tor is so many ways, and there's so much documentation/manuals/support on it. This means there's always a solution when someone tries to block Tor on a network.

As for Tor "competing" with Ultrasurf for funding. Tor should get the funding since Tor programmers are clearly more dedicated, more open and have a better track record.

I wish that were so. But the thing is, the US government has to encourage competition between competing makers of products... even if one is for-profit and the other isn't. While I do not believe TOR or Ultrasurf are vying for a monopoly, they are both going to continue to receive funds.

Seth Schoen

April 20, 2012

Permalink

@ioerror

Hi,
In Italy since circa 4 or 5 years there's a magic *free* software, developed by the italian Kodeware, allowing the dissidents of many countries to create decentralised, indistructible anonymous forums.
They refused for years to relase the source code and were very reluctant.
After many pressures by the users, they finally said in 2009 "We'll release the code in 3 month" ..
At circa the end of *2011* they finally relased *part* of the source code.
What do you think about Osiris software? Is it worth to use? Are Kodeware statements honest or false claim?

quote of the supposed features of Osiris,
from: http://www.osiris-sps.org :

>>*Physical decentralization* Every node shares via P2P copies of portals.
>>No central point to obscure, filter, limit or attack.
>>
>>*Unbreakable* A portal exists until users share it. Redundancy avoids DDOS problems and more.
>>
>>*Anonymous* Impossible to associate an IP address to a user, or to know the complete lists of peers that share a >>portal. TOR-friendly.

Also there's an article on italian newspaper LaRepubblica, talking about the arab spring riots in Egypt-Syria-Iran-Tunisia and the "fundamental" role of this italian tool to circumvent the regime censorship , protecting the activists allowing anonymous creation of decentralised censorship-resistent forums.
No matter what the government does: it "seems" the p2p infrastructure of Osiris is not attakable because if the government locks the connectivity of some nodes, there will be many other activists node to allow the download and upgrade of the forum so the forum is undestroyable.
Also if, for example, the Syrian police sizes the pc of an activist the data will be inusable because the software leave no traces of the user activity on the forum (the posts are all cryptographically authenticated and the storing of each post file on the pc is signed by an encryption key), the police will only find a copy of the forum on the hd of the suspect, but will not be able (this is what the developers of Osiris claim .. ) to correlate the activist to his own posts.
the article:
http://www.repubblica.it/tecnologia/2011/02/23/news/web_rivolte-12769492

[LaRepubblica is one of the main national newspaper in Italy]
LaRepubblica is generally a good newspaper ... *but* it has very scarce IT knowledge and the articles about technologies are almost always low quality garbage (really a spot of a product).
I think this article is superficial and *dangerous*.
Superficial because it's only based upon kodeware developers words.
Dangerous for the users because it make people think there's this Kodeware *super-anonymous* software (Osiris) that allows to create bomb proof anonymous p2p forums, so protecting the forum and the users from repressive governments.

It is particularly dangerous also in Italy (not only in countries with plain classic dictatorship) because of political profiling in act in the country. (just google to know about Telecom Italia** political dossier and abusive interceptions against activists, journalists and judges)
After this article many other follows. This time on various computer magazines (superficial as usual) reporting the same description released by the authors on Osiris download page (these are always the same mainstream magazines, bought by many noob people. The articles are used by the user only to know how to install the software and how to use it. These magazines make *absolutely no study* concerning how much secure-anonymous-resistent the software is)

**Telecom Italia is Italy main ISP (dialup, adsl, optic fibre etc) - almost 100% internet traffic in Italy pass through Telecom Italia infrastructures (and backbone, AS etc) -, phone provider (over 90% of the market) and big mobile provider (30-40 % of the market).

There's been many critique against Osiris on some p2p forums where the software was promoted.
For example on TNTvillage (a bittorrent forum http://forum.tntvillage.scambioetico.org ) Clodo (the boss-developer of Osiris) and others periodically present Osiris as an anticensoreship tools.
TNT admin (absolutely *NOT* a computer nerd - he's only an over 60yo politician - ) is seriously thinking to migrate the tntvillage forum on Osiris platform. (so posing the user of the forum in clear danger, in case the anti-p2p AGcom passes, because the migration will create a *false sense* of security and anonymate to the users)

On TNTvillage forum some skilled programmers stated that Osiris seems to be *absolutely unsecure*.
It may be not so 'undestroyable' and there's a possibility that the posts signed with the activists encription key could instead be used by the police as probation against the activist because it certify the authorship of the posts written by an activist whose computer has been sized (aka: the opposite of the supposed anonymate).
Strange thing: Osiris client needs to connect to kodeware servers to "bootstrap".
(ok, also Tor need to do something similar, but Kodeware is non torproject and Osiris is non completely opensource. Kodeware isnt even a non-profit association, it seems to be a firm .. financied by .. who knows ?!? )

Some links:

Multilanguage: (ita/eng)

Kodeware (the authors of Osiris) http://osiris.kodeware.net

Osiris forum http://www.osiris-sps.org

Wikipedia page about Osiris https://en.wikipedia.org/wiki/Osiris_(Serverless_Portal_System)

Kodeware developers statements in various italian forums:

The topic on TNTvillage forum, about Osiris and the tnt transition to Osiris: http://forum.tntvillage.scambioetico.org/tntforum/index.php?showtopic=1…
(it contains many critics, specially by user 'franzauker2' to Clodo, a developer of Osiris, about the flawed architecture of that software)

The topic on IsleofTortuga forum, about the (failed) migation of ColomboBt (bittorrent forum) to Osiris (they finally have chosen I2P).
It's shocking to read Clodo replying to the 'key->signature->authorship' issue with "Ok, so Osiris is not anonymous, but this is not the point! Osiris goal is to be indestructible, anonymate is a secondary optional" ...
http://www.isleoftortuga.org/forum/index.php?showtopic=109870
After that posts by Clodo nothing changes on the Osiris download page: they continue to call it 'anonymous tool'.

Also, for marketing pourposes [sic] , they recently made a 'slide image' on the download page, so that when the anonymous spot-phrase appears the background image change to Guy Fawkes mask. :|

Another issue of value is denial of service:
The Osiris serverless forums are ruled by 'reputation' .
If the user A likes the user B and user B dislike user C posts ...
user A will no longer be able to read user C posts because user A trusts user B.
so what happens if user A trusts B who trusts D who trusts etc etc .... who trusts Z who dislike 50% of the users ?!?

Many people posed the question to Clodo and the other Osiris developers , with no answer .

I cited that in my report - I don't believe that it is purposeful Malware, I think if anything, those people detected the so called "chaff" traffic and decided it was being remotely controlled. It is an easy mistake to make because without the internal logs, it would appear that the Ultrasurf client is connecting to some Ultrasurf servers and then it makes connections to obviously unrelated servers. That is really odd behavior but the internal logs make it clear - it's supposed to fool people. It's a clever idea but ironically people considered it hostile because generally, it's not a good idea to do that kind of thing.

One of the points I made in the paper is that this traffic is actually handled by Internet Explorer on the system. That means that if the user's IE is unpatched but they otherwise never use it, they will be using it in the background, in a way that may cause them problems but they won't know it.

Seth Schoen

April 22, 2012

Permalink

@ioerror

Hi,
In Italy since circa 4 or 5 years there's a magic *free* software, developed by the italian Kodeware, allowing the dissidents of many countries to create decentralised, indistructible anonymous forums.
They refused for years to relase the source code and were very reluctant.
After many pressures by the users, they finally said in 2009 "We'll release the code in 3 month" ..
At circa the end of *2011* they finally relased *part* of the source code.
What do you think about Osiris software? Is it worth to use? Are Kodeware statements honest or false claim?

quote of the supposed features of Osiris,
from: http://www.osiris-sps.org :

>>*Physical decentralization* Every node shares via P2P copies of portals.
>>No central point to obscure, filter, limit or attack.
>>
>>*Unbreakable* A portal exists until users share it. Redundancy avoids DDOS problems and more.
>>
>>*Anonymous* Impossible to associate an IP address to a user, or to know the complete lists of peers that share a >>portal. TOR-friendly.

Also there's an article on italian newspaper LaRepubblica, talking about the arab spring riots in Egypt-Syria-Iran-Tunisia and the "fundamental" role of this italian tool to circumvent the regime censorship , protecting the activists allowing anonymous creation of decentralised censorship-resistent forums.
No matter what the government does: it "seems" the p2p infrastructure of Osiris is not attakable because if the government locks the connectivity of some nodes, there will be many other activists node to allow the download and upgrade of the forum so the forum is undestroyable.
Also if, for example, the Syrian police sizes the pc of an activist the data will be inusable because the software leave no traces of the user activity on the forum (the posts are all cryptographically authenticated and the storing of each post file on the pc is signed by an encryption key), the police will only find a copy of the forum on the hd of the suspect, but will not be able (this is what the developers of Osiris claim .. ) to correlate the activist to his own posts.
the article:
http://www.repubblica.it/tecnologia/2011/02/23/news/web_rivolte-12769492

[LaRepubblica is one of the main national newspaper in Italy]
LaRepubblica is generally a good newspaper ... *but* it has very scarce IT knowledge and the articles about technologies are almost always low quality garbage (really a spot of a product).
I think this article is superficial and *dangerous*.
Superficial because it's only based upon kodeware developers words.
Dangerous for the users because it make people think there's this Kodeware *super-anonymous* software (Osiris) that allows to create bomb proof anonymous p2p forums, so protecting the forum and the users from repressive governments.

It is particularly dangerous also in Italy (not only in countries with plain classic dictatorship) because of political profiling in act in the country. (just google to know about Telecom Italia** political dossier and abusive interceptions against activists, journalists and judges)
After this article many other follows. This time on various computer magazines (superficial as usual) reporting the same description released by the authors on Osiris download page (these are always the same mainstream magazines, bought by many noob people. The articles are used by the user only to know how to install the software and how to use it. These magazines make *absolutely no study* concerning how much secure-anonymous-resistent the software is)

**Telecom Italia is Italy main ISP (dialup, adsl, optic fibre etc) - almost 100% internet traffic in Italy pass through Telecom Italia infrastructures (and backbone, AS etc) -, phone provider (over 90% of the market) and big mobile provider (30-40 % of the market).

There's been many critique against Osiris on some p2p forums where the software was promoted.
For example on TNTvillage (a bittorrent forum http://forum.tntvillage.scambioetico.org ) Clodo (the boss-developer of Osiris) and others periodically present Osiris as an anticensoreship tools.
TNT admin (absolutely *NOT* a computer nerd - he's only an over 60yo politician - ) is seriously thinking to migrate the tntvillage forum on Osiris platform. (so posing the user of the forum in clear danger, in case the anti-p2p AGcom passes, because the migration will create a *false sense* of security and anonymate to the users)

On TNTvillage forum some skilled programmers stated that Osiris seems to be *absolutely unsecure*.
It may be not so 'undestroyable' and there's a possibility that the posts signed with the activists encription key could instead be used by the police as probation against the activist because it certify the authorship of the posts written by an activist whose computer has been sized (aka: the opposite of the supposed anonymate).
Strange thing: Osiris client needs to connect to kodeware servers to "bootstrap".
(ok, also Tor need to do something similar, but Kodeware is non torproject and Osiris is non completely opensource. Kodeware isnt even a non-profit association, it seems to be a firm .. financied by .. who knows ?!? )

Some links:

Multilanguage: (ita/eng)

Kodeware (the authors of Osiris) http://osiris.kodeware.net

Osiris forum http://www.osiris-sps.org

Wikipedia page about Osiris https://en.wikipedia.org/wiki/Osiris_(Serverless_Portal_System)

Kodeware developers statements in various italian forums:

The topic on TNTvillage forum, about Osiris and the tnt transition to Osiris: http://forum.tntvillage.scambioetico.org/tntforum/index.php?showtopic=1…
(it contains many critics, specially by user 'franzauker2' to Clodo, a developer of Osiris, about the flawed architecture of that software)

The topic on IsleofTortuga forum, about the (failed) migation of ColomboBt (bittorrent forum) to Osiris (they finally have chosen I2P).
It's shocking to read Clodo replying to the 'key->signature->authorship' issue with "Ok, so Osiris is not anonymous, but this is not the point! Osiris goal is to be indestructible, anonymate is a secondary optional" ...
http://www.isleoftortuga.org/forum/index.php?showtopic=109870
After that posts by Clodo nothing changes on the Osiris download page: they continue to call it 'anonymous tool'.

Also, for marketing pourposes [sic] , they recently made a 'slide image' on the download page, so that when the anonymous spot-phrase appears the background image change to Guy Fawkes mask. :|

Another issue of value is denial of service:
The Osiris serverless forums are ruled by 'reputation' .
If the user A likes the user B and user B dislike user C posts ...
user A will no longer be able to read user C posts because user A trusts user B.
so what happens if user A trusts B who trusts D who trusts etc etc .... who trusts Z who dislike 50% of the users ?!?

Many people posed the question to Clodo and the other Osiris developers , with no answer .

"Also there's an article on italian newspaper LaRepubblica, talking about the arab spring riots in Egypt-Syria-Iran-Tunisia and the "fundamental" role ...."

FYI ... Iran has nothing to do with "Arab Spring" !! People use these keywords for more media attention and it's complete B.S.

Seth Schoen

May 02, 2012

Permalink

so,how about check out freegate,a similar proxy tool of ultrasurf?

look better.
It talks about tor, *not* tbb. But that's ok: Tor and TBB are part of torproject.

In fact TBB is nothing else than Tor+adapted_Browser+noscript+vidalia.

Seth Schoen

June 11, 2012

Permalink

Now that UltraReach and TOR have made is possible for foreign country Internet users to circumvent their governments policies, what am I ,as an IT administartor for an important entity trying to secure our country's interests and protect our assets aboard to do? By your actions you are causing much troubles for our country business and OTHERS. Does the USA matter to you and the developers? I believe that Ultrasurf and TOR are incredible programs and appreciate the concept, but at what cost to our country's security? Please spend some time creating a program that will help me and other admins protect our data systems..If the Chinese people need to get around the Chinese government's policies then they, using all of our money we have been filtering their direction can purchase a VSAT system directed to Germany..Why do they have to use the local ISP's?

It depends on what you are talking about when you use the word "security".

Tor increases you country security, if with "security" you are talking about "people security" aka Democracy, free speech and free access to information and culture.

By reverse : Tor decrease you country "security" if by that word you mean control over the people, censorship, profiling etc etc.

also, remember that Tor is not 100 robust, when the attack comes from a global adversary (NSA, FBI, NATO).

In fact Tor users are anonymous at 100% if they are citizen of a non-NATO country (China, Iran, etc) and are connecting to a non chinese/etc server. This because China/Iran/etc has the control *only* over his national ISP.

On the other hand USA has control over almost each western ISP (USA,EU,AU) and they can use data retention and time correlation analysis to track their citizens (if the citizen connect to a site site in the controlled ISP).