The Need for Community Participation and Clear Disclosure Processes in the Case of Ultrasurf
On Monday, April 16 2012, Tor released a long-awaited paper assessing the security of the circumvent and privacy tool Ultrasurf.
Tor’s Disclosure: https://blog.torproject.org/blog/ultrasurf-definitive-review
Ultrasurf’s Response: http://ultrasurf.us/Ultrasurf-response-to-Tor-definitive-review.html
Having been a party to the disclosure process, there were a number of occasions where communications broke down due to differences of definitions and intent. I had offered to review any draft of Ultrasurf’s response, however, it appears that they chose to publish without consultation. Throughout its existence, Ultrasurf’s support and funding has been hampered by the politics of US-Chinese foreign relations, and this document should be read as a political, rather than technical, rebuttal. The vendor was asked to provide an official, detailed response with the specific intent of correcting outdated information, but declined to do so and quietly updated the client recently. The vendor’s statement, in a bit of a crass fashion, brings up the issue of language barriers, a point that is exacerbated by the Tor paper and Ultrasurf reply having two separate audiences, so let me correct some of these miscommunications.
“We have pointed out to Tor that the paper does not reflect current versions of Ultrasurf. Unfortunately, the Tor project did not choose to accurately report information in its paper.”
The version that incorporates the latest changes (12.01) was quietly released at the beginning of the week to coincide with the release of the paper.
“Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested.”
There are two separate issues in play here: traceability and logging. The latter was disclosed voluntarily by the vendor on a number of occasions and in the statement “Ultrasurf has never disclosed log files to the US government without a warrant.” Here their statement is incomplete as it does not address subpoenas or national security letters, as I understand, they have complied with the former and the latter I am not sure they are allowed to acknowledge. Ultrasurf’s threat model is solely obsessed with the police of authoritarian states, as Chinese expatriates, their understanding of American law not as nuanced and is not thought to be a substantial risk. Ultrasurf has previously presented data at private conferences where IP addresses were visible, however, they now assert that such demonstrates show country code, rather than address. The vendor categorically states under no other situations was user information made available. These scenarios, and Google, form the basis of both parties opposing claims on log disclosure.
The traceability issue comes into play with the following statement:
“Tor provides no evidence that BlueCoat sells software and hardware that can break Ultrasurf.”
At times Ultrasurf has conflated traceability with claims of decryption. From Jacob’s paper and vendor disclosure, it appears that Ultrasurf uses standard encryption mechanisms that, if properly implemented, are considered reasonably secure. This obviously differs greatly from detecting Ultrasurf in transit, which Blue Coat and others have claimed to do. Using the traffic noted in §5.8 and §5.13 as indicators, it becomes easy to see how trivial the process of spotting Ultrasurf users can be. I would encourage anyone who is skeptical to try with the Telecomix logs. In fact, Ultrasurf themselves note “we do not claim that Ultrasurf is untraceable,” a claim that I believe was removed in the website revisions that resulted from both parties’ December meeting.
“For us, one of the most puzzling claims by the Tor researchers is that Ultrasurf is blocked in China.”
Difference of definition on the part of Tor and Ultrasurf. Ultrasurf releases new clients with new bootstraps in response to blocking — it is an aggressive mechanism of deploying new entry nodes that I am impressed seems to work reasonably well for them. However, the exit node IP pool has been consistent for several years and is pretty easy to block. Old versions become obsolete quickly, hence the concern regarding update integrity. The same issue of definitions come up in whether Ultrasurf is one hop or two, but that is a digression that gets into infrastructure details that I will follow the vendor’s request not to disclose.
“We wish that Tor had approached us first so that we could use the information in the Tor paper as part of our continuing effort to improve user security.”
“Somebody is not being honest. Who do you trust?” – Tor Blog Comment
I believe Ultrasurf is referring to the final copy of the paper, which they received about a week and a half ago. However, as I am aware Ultrasurf was told all the details during a private meeting in December. As I was familiar with the contents of the paper, the key points were discussed between myself and the vendor in March to ensure that the users would not be affected by the release of the paper.
“Moreover, we find Tor’s approach to be disingenuous; while they purport to want to protect Ultrasurf users, their chosen approach is to publicly release a detailed and explicit description of perceived vulnerabilities. Were it not for the fact that the security vulnerabilities identified have either already been closed or are superficial, this would be tantamount to providing oppressive governments with a roadmap to monitor our users and acquire their information.”
“I’m interested in your reply. Also, is it true that Tor and Ultrasurf compete for funding from the same agencies?” – Tor Blog Comment
My understanding was that these agencies have been encouraging a security review and offering technical assistance to all recipients of Internet Freedom funding. However, where intention matters is when it comes to rhetoric, the technical results of the paper cannot not be decided by whether the author has benevolent or malicious intent. I regret Ultrasurf’s framing of this process, as I was a party to ensuring that the most significant holes were patched before the release of the paper. If the author’s motives were not intended to be responsible or constructive, the vendor would not have been given five months to close the most serious holes. The simple fact of the matter is that the majority of these issues were fixed within a short window of lead up to the publication and are directly attributable to Tor’s paper.
In the end, I believe the simple answer is for Ultrasurf is to remove its branding as a privacy service and participate more openly within the security research community. From my experience studying privacy and circumvention tool use, I suspect most of its users would not mind Google Analytics, et al if they were made aware. In countries such as Iran where proxy service use is common, even detectability is not a substantial issue. The issue is that the majority of the problems raised and remaining run contrary to the advertising claims made by Ultrasurf. There is certainly a space for tools that exist solely to connect people in repressive regimes to Facebook and Youtube. However, this does not negate the responsibility to disclose user risk and maintain the integrity of infrastructure. There are historical circumstances that have encouraged Ultrasurf to behave in a closed manner, none of which imply they act in bad-faith; I spent quite a deal of time with the hope that this first round of exchange continues with independent verification of the claims made in their statement and based on technical merits, rather than politics.