Nice analysis. Pursuant to this, I think downgrading this project from OkayFreedom to MehFreedom would be more suitable.
NK On 10/27/2012 1:58 PM, Jacob Appelbaum wrote: > Nadim Kobeissi: >> It would serve us all well to remember, when discussing such technologies >> in the future, to always ask ourselves these standard questions (or these >> questions that should be standardized:) > > I agree about your questions and I'd suggest they are too limited. I > would add these (as a general set of thoughts - this isn't inclusive): > > Is it Free software? > Do they comply with the Free Software licenses? > Is it documented in any meaningful manner? > Is there another independent implementation, if a new/custom protocol? > Does it have any proprietary components? What are they? > Does it use a centralized system? Which ones? > Are users able to measure any properties of the system? > Does it have a policy about interception? > Does it have a policy about legal data requests? > > The list goes on but I'd rather skip to look at the thing itself. I > added some notes on it below this text... > >> >> A1. How much trust do I need to invest in the integrity and statements of >> *people* in order for this service to be secure? >> A2. What initiatives have those people taken to detach the project's >> security from their personal effects? >> A3. Is the infrastructure centralized? IHow valuable is its compromise to >> an antagonist? >> A4. Will my privacy be affected by changing tides of geopolitics if I rely >> on this service? >> >> These questions can truly act as a time-saving model. That being said, I >> also have some technical qualms with OkayFreedom after briefly analyzing it: >> >> B1. OkayFreedom, an anonymity service, harvests information on its users >> via Google Analytics. >> B2. OkayFreedom software is offered for download via HTTP and not HTTPS. It >> is trivial for Iranian authorities to fatally exploit this. >> B3. OkayFreedom does not make its source code available for audit by >> security experts. This is seriously unscientific and provides no manner for >> an empirical justification of privacy promises. This sort of thing makes >> questions sch as A1 yield dangerous answers. >> B4. OkayFreedom places cookies, or identifying information, inside user's >> browsers, which may of use by antagonist computer forensic entities. >> B5. OkayFreedom shows advertising to its users; the advertising code is >> provided by third parties and may contain its own identifying code. This is >> a frequent hole. >> B6. OkayFreedom mandatorily asks for my email address and makes it clear >> that it will share it with commercial sponsors. This is not anonymous. >> B7. OkayFreedom's installation process is unusually pervasive: The >> software, a closed-source binary, injects code into all installed web >> browsers and installs a network device driver. Coupled with its highly >> insecure mode of delivery outlined in B2, this could indeed have disastrous >> consequences. >> > > Hilariously, they warn you to disable OkayFreedom before asking for > payment at store2.esellerate.net via HTTPS ( > http://www.okayfreedom.com/interstitial.php?language=en&url=https%3A%2F%2Fsecure.esellerate.net%2Fsecure%2Fprefill.aspx%3Fcmd%3DBUY%26s%3DSTR2099870388%26_cartitem0.SkuRefNum%3DSKU60761706070%26_cartItem0.quantity%3D1%26_cartItem1.SkuRefNum%3DSKU13452973799%26_cartItem1.quantity%3D0%26_cartItem2.SkuRefNum%3DSKU66143195918%26_cartItem2.quantity%3D0%26_cartItem3.SkuRefNum%3DSKU18834812186%26_cartItem3.quantity%3D0%26_Shopper.Language%3DEnglish%26_Shopper.Currency%3DUSD%26_Shopper.BillingCountryCode%3DUS%26_Custom.Data1%3Den%26page%3DOnePageCart.htm > ): > > Please deactivate OkayFreedom now > If you are already using OkayFreedom, click "Off" in the OkayFreedom > menu. You don't have to quit OkayFreedom. Otherwise, your purchase > can probably not be processed. Thank you. > > I also love that you can change those url parameters to whatever you'd > like (as it doesn't use HTTPS or check things internally), eg: > > > http://www.okayfreedom.com/interstitial.php?language=en&url=https://crypto.cat > > On install it appears to open a connection to 37.208.111.121 ( > http://www.okayfreedom.com./ ) on port 80 after collecting a user's > email address. It appears to dwonload okayfreedom.exe by opening a > connection to file.steganos.com > http://www.steganos.com/us/products/overview/ - it then runs it > instantly. So uh, I'm guessing Hello EvilGrade code execution? > > I noticed that someone already scanned it for issues on VirusTotal: > https://www.virustotal.com/file/46119727a4ebba59596c7ead9b1e5be9aa79518e78d5494b08fe8217f0b4cc94/analysis/ > > I uploaded both files that I encountered. > > This is the file for download from the web: > https://www.virustotal.com/file/2771d24f23549ad46047b425af169edb9fc1fd76e4ceb6aa9217fefd550b1c18/analysis/1351353504/ > > This is the actual payload it downloads and runs as the installer: > https://www.virustotal.com/file/26dd85c8936f2e2264981bcb08bf7fa1a729068c990be23f93bd05db73c73fa1/analysis/1351353535/ > > It appears that it tries to install a TAP device managed by > VPNService.exe - it appears to be the Steganos VPNClient. It touches a > lot of data on the drive - registry keys and a lot more. > > I presume that this is the software package they rebrand: > > > http://www.steganos.com/us/products/secure-surfing/internet-anonym/overview/ > > It installs these files: > > Base.res RenameTAP.exe > ChannelDefault.res ResetPendingMoves.exe > LibShred.dll ServiceControl.exe > LocalServerConsole.exe ShutdownApp.exe > LocalServerConsole.vshost.exe SIAVPN2Client.res > LocalServerConsole.vshost.exe.manifest sqlite3.dll > OkayFreedomClient.exe SteganosUI.res > OkayFreedomClient.res Tleilaxu.res > okayfreedom.crx toggleds.exe > okayfreedom_ff VPNService.exe > okayfreedom_ff.xpi XVPNClient_OKAYFREEDOM.res > OKAYFREEDOM.res XVPNClient.res > OkayFreedomUpdater.res XVPNClient_SIAVPN.res > openvpn XVPNClient_SVPNP.res > openvpn64 XVPNClient_SVPN.res > prodid XVPNClient_XVPN.res > > LibShred.dll appears to be this GPL project: > > http://sourceforge.net/projects/libshred/ > > I uploaded a few of those files here: > > https://www.virustotal.com/file/d29dfad73be78d00f0b8fe535c20939eb4b632102e1c250d37b211bc915f82c9/analysis/1351354357/ > > https://www.virustotal.com/file/6cfb058b4151f59e6a7da545ca4553f47b24221a255ea5c594c4851b8370040f/analysis/1351354411/ > > https://www.virustotal.com/file/23ad5dde8dcbca2af2de6af7b3e859b06c26de6a2409c1763c24f89980a89dbc/analysis/1351354492/ > > I found that openvpn/Steganos.txt contains this: > > Applied Patches: > ONSA.patch for Steganos OnlineSafe > AVPN.patch for Steganos Internet Anonym VPN > SVPN.patch for Steganos Secure VPN > > So it looks like they modify OpenVPN before they distribute it. > Hilariously the OpenVPN license ( > http://openvpn.net/index.php/license.html ) and other related software > is crazy complicated. Some of it is GPL, some BSD, some GPL with special > exceptions, etc. > > The ChangeLog included is hilariously old: > > > $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $ > > 2006.10.01 -- Version 2.0.9 > > * Windows installer updated with OpenSSL 0.9.7l DLLs to fix > published vulnerabilities. > > * Fixed TAP-Win32 bug that caused BSOD on Windows Vista > (Henry Nestler). The TAP-Win32 driver has now been > upgraded to version 8.4. > > I sure hope that isn't the version of OpenSSL they're using! The newest > binary appears to have been built on 2011-04-26 (openvpn.exe) while > (openssl.exe) was built on 2009-09-17. Likely some bad bugs in those two > together... > > They also include two web browser plugins (okayfreedom_ff.xpi and > okayfreedom.crx) - so I guess their browser plugins are... easy softspots. > > Here is the Firefox url for update checking: > > https://www.steganos.com/updates/okayfreedom/update_okayfreedom_ff.rdf > > The actual firefox xpi is here: > > https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xpi > > Info for Firefox is here: > > https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xhtml > > The Chrome extension is permissive: > > "permissions": [ > "tabs", > "http://*/*";, > "https://*/*"; > ], > > It updates at this url: > > https://www.steganos.com/updates/okayfreedom/update_okayfreedom.xml > > It looks also like it opens a connection (this is in both) to some kind > of controller: > > var port = "36405"; > var url = "ws://127.0.0.1:" + port + "/okayfreedomwebsocket"; > > > It also appears that OkayFreedomClient.exe might run polipo: > > ~/Steganos/polipo/config > ~/ArchiCrypt/polipo/config > > It looks like this software is probably vulnerable to the attacks I > mentioned in our vpwned FOCI12 paper, as well as other things. I'd love > a confirmation from a Windows user who cares enough to test it. I guess > [email protected] might be a good places to report it, I extracted > that from OkayFreedomClient.exe, so it might be a bit old. > > There are some other things in that binary that made me laugh a bit: > > /?api=1&lang=%s&cmd=register_account&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off > > /?api=1&lang=%s&cmd=register_plus&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off&key=%s > > /?api=1&lang=%s&cmd=login&fe-login-user=%s&fe-login-pass=%s > > If I had to guess, I'd bet there are some embedded keys for the VPN and > I'd bet there are some ways to mess with the > ws://127.0.0.1:36405/okayfreedomwebsocket interface (eg: perhaps by > sending 'DOCHECK|attackerexample.com|0|DE' to it). > > I'm guessing this is a reverse engineering project for a budding > security person wishing to have a field day. > > All the best, > Jake > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
