Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] OkayFreedom

Nadim Kobeissi nadim at nadim.cc
Sat Oct 27 14:47:53 PDT 2012


Nice analysis. Pursuant to this, I think downgrading this project from
OkayFreedom to MehFreedom would be more suitable.

NK

On 10/27/2012 1:58 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>> It would serve us all well to remember, when discussing such technologies
>> in the future, to always ask ourselves these standard questions (or these
>> questions that should be standardized:)
> 
> I agree about your questions and I'd suggest they are too limited. I
> would add these (as a general set of thoughts - this isn't inclusive):
> 
>   Is it Free software?
>   Do they comply with the Free Software licenses?
>   Is it documented in any meaningful manner?
>   Is there another independent implementation, if a new/custom protocol?
>   Does it have any proprietary components? What are they?
>   Does it use a centralized system? Which ones?
>   Are users able to measure any properties of the system?
>   Does it have a policy about interception?
>   Does it have a policy about legal data requests?
> 
> The list goes on but I'd rather skip to look at the thing itself. I
> added some notes on it below this text...
> 
>>
>> A1. How much trust do I need to invest in the integrity and statements of
>> *people* in order for this service to be secure?
>> A2. What initiatives have those people taken to detach the project's
>> security from their personal effects?
>> A3. Is the infrastructure centralized? IHow valuable is its compromise to
>> an antagonist?
>> A4. Will my privacy be affected by changing tides of geopolitics if I rely
>> on this service?
>>
>> These questions can truly act as a time-saving model. That being said, I
>> also have some technical qualms with OkayFreedom after briefly analyzing it:
>>
>> B1. OkayFreedom, an anonymity service, harvests information on its users
>> via Google Analytics.
>> B2. OkayFreedom software is offered for download via HTTP and not HTTPS. It
>> is trivial for Iranian authorities to fatally exploit this.
>> B3. OkayFreedom does not make its source code available for audit by
>> security experts. This is seriously unscientific and provides no manner for
>> an empirical justification of privacy promises. This sort of thing makes
>> questions sch as A1 yield dangerous answers.
>> B4. OkayFreedom places cookies, or identifying information, inside user's
>> browsers, which may of use by antagonist computer forensic entities.
>> B5. OkayFreedom shows advertising to its users; the advertising code is
>> provided by third parties and may contain its own identifying code. This is
>> a frequent hole.
>> B6. OkayFreedom mandatorily asks for my email address and makes it clear
>> that it will share it with commercial sponsors. This is not anonymous.
>> B7. OkayFreedom's installation process is unusually pervasive: The
>> software, a closed-source binary, injects code into all installed web
>> browsers and installs a network device driver. Coupled with its highly
>> insecure mode of delivery outlined in B2, this could indeed have disastrous
>> consequences.
>>
> 
> Hilariously, they warn you to disable OkayFreedom before asking for
> payment at store2.esellerate.net via HTTPS (
> http://www.okayfreedom.com/interstitial.php?language=en&url=https%3A%2F%2Fsecure.esellerate.net%2Fsecure%2Fprefill.aspx%3Fcmd%3DBUY%26s%3DSTR2099870388%26_cartitem0.SkuRefNum%3DSKU60761706070%26_cartItem0.quantity%3D1%26_cartItem1.SkuRefNum%3DSKU13452973799%26_cartItem1.quantity%3D0%26_cartItem2.SkuRefNum%3DSKU66143195918%26_cartItem2.quantity%3D0%26_cartItem3.SkuRefNum%3DSKU18834812186%26_cartItem3.quantity%3D0%26_Shopper.Language%3DEnglish%26_Shopper.Currency%3DUSD%26_Shopper.BillingCountryCode%3DUS%26_Custom.Data1%3Den%26page%3DOnePageCart.htm
> ):
> 
>   Please deactivate OkayFreedom now
>   If you are already using OkayFreedom, click "Off" in the OkayFreedom
>   menu. You don't have to quit OkayFreedom. Otherwise, your purchase
>   can probably not be processed. Thank you.
> 
> I also love that you can change those url parameters to whatever you'd
> like (as it doesn't use HTTPS or check things internally), eg:
> 
> 
> http://www.okayfreedom.com/interstitial.php?language=en&url=https://crypto.cat
> 
> On install it appears to open a connection to 37.208.111.121 (
> http://www.okayfreedom.com./ ) on port 80 after collecting a user's
> email address. It appears to dwonload okayfreedom.exe by opening a
> connection to file.steganos.com
> http://www.steganos.com/us/products/overview/ - it then runs it
> instantly. So uh, I'm guessing Hello EvilGrade code execution?
> 
> I noticed that someone already scanned it for issues on VirusTotal:
> https://www.virustotal.com/file/46119727a4ebba59596c7ead9b1e5be9aa79518e78d5494b08fe8217f0b4cc94/analysis/
> 
> I uploaded both files that I encountered.
> 
> This is the file for download from the web:
> https://www.virustotal.com/file/2771d24f23549ad46047b425af169edb9fc1fd76e4ceb6aa9217fefd550b1c18/analysis/1351353504/
> 
> This is the actual payload it downloads and runs as the installer:
> https://www.virustotal.com/file/26dd85c8936f2e2264981bcb08bf7fa1a729068c990be23f93bd05db73c73fa1/analysis/1351353535/
> 
> It appears that it tries to install a TAP device managed by
> VPNService.exe - it appears to be the Steganos VPNClient. It touches a
> lot of data on the drive - registry keys and a lot more.
> 
> I presume that this is the software package they rebrand:
> 
> 
> http://www.steganos.com/us/products/secure-surfing/internet-anonym/overview/
> 
> It installs these files:
> 
> Base.res				RenameTAP.exe
> ChannelDefault.res			ResetPendingMoves.exe
> LibShred.dll				ServiceControl.exe
> LocalServerConsole.exe			ShutdownApp.exe
> LocalServerConsole.vshost.exe		SIAVPN2Client.res
> LocalServerConsole.vshost.exe.manifest	sqlite3.dll
> OkayFreedomClient.exe			SteganosUI.res
> OkayFreedomClient.res			Tleilaxu.res
> okayfreedom.crx				toggleds.exe
> okayfreedom_ff				VPNService.exe
> okayfreedom_ff.xpi			XVPNClient_OKAYFREEDOM.res
> OKAYFREEDOM.res				XVPNClient.res
> OkayFreedomUpdater.res			XVPNClient_SIAVPN.res
> openvpn					XVPNClient_SVPNP.res
> openvpn64				XVPNClient_SVPN.res
> prodid					XVPNClient_XVPN.res
> 
> LibShred.dll appears to be this GPL project:
> 
>   http://sourceforge.net/projects/libshred/
> 
> I uploaded a few of those files here:
> 
> https://www.virustotal.com/file/d29dfad73be78d00f0b8fe535c20939eb4b632102e1c250d37b211bc915f82c9/analysis/1351354357/
> 
> https://www.virustotal.com/file/6cfb058b4151f59e6a7da545ca4553f47b24221a255ea5c594c4851b8370040f/analysis/1351354411/
> 
> https://www.virustotal.com/file/23ad5dde8dcbca2af2de6af7b3e859b06c26de6a2409c1763c24f89980a89dbc/analysis/1351354492/
> 
> I found that openvpn/Steganos.txt contains this:
> 
> Applied Patches:
>         ONSA.patch for Steganos OnlineSafe
>         AVPN.patch for Steganos Internet Anonym VPN
>         SVPN.patch for Steganos Secure VPN
> 
> So it looks like they modify OpenVPN before they distribute it.
> Hilariously the OpenVPN license (
> http://openvpn.net/index.php/license.html ) and other related software
> is crazy complicated. Some of it is GPL, some BSD, some GPL with special
> exceptions, etc.
> 
> The ChangeLog included is hilariously old:
> 
> 
>   $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $
> 
>   2006.10.01 -- Version 2.0.9
> 
>   * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
>     published vulnerabilities.
> 
>   * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
>     (Henry Nestler).  The TAP-Win32 driver has now been
>     upgraded to version 8.4.
> 
> I sure hope that isn't the version of OpenSSL they're using! The newest
> binary appears to have been built on 2011-04-26 (openvpn.exe) while
> (openssl.exe) was built on 2009-09-17. Likely some bad bugs in those two
> together...
> 
> They also include two web browser plugins (okayfreedom_ff.xpi and
> okayfreedom.crx) - so I guess their browser plugins are... easy softspots.
> 
> Here is the Firefox url for update checking:
> 
>  https://www.steganos.com/updates/okayfreedom/update_okayfreedom_ff.rdf
> 
> The actual firefox xpi is here:
> 
>  https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xpi
> 
> Info for Firefox is here:
> 
>  https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xhtml
> 
> The Chrome extension is permissive:
> 
>   "permissions": [
> 	"tabs",
>     "http://*/*",
>     "https://*/*"
>   ],
> 
> It updates at this url:
> 
>   https://www.steganos.com/updates/okayfreedom/update_okayfreedom.xml
> 
> It looks also like it opens a connection (this is in both) to some kind
> of controller:
> 
>  var port = "36405";
>  var url = "ws://127.0.0.1:" + port + "/okayfreedomwebsocket";
> 
> 
> It also appears that OkayFreedomClient.exe might run polipo:
> 
> ~/Steganos/polipo/config
> ~/ArchiCrypt/polipo/config
> 
> It looks like this software is probably vulnerable to the attacks I
> mentioned in our vpwned FOCI12 paper, as well as other things. I'd love
> a confirmation from a Windows user who cares enough to test it. I guess
> beta at okayfreedom.com might be a good places to report it, I extracted
> that from OkayFreedomClient.exe, so it might be a bit old.
> 
> There are some other things in that binary that made me laugh a bit:
> 
> /?api=1&lang=%s&cmd=register_account&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off
> 
> /?api=1&lang=%s&cmd=register_plus&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off&key=%s
> 
> /?api=1&lang=%s&cmd=login&fe-login-user=%s&fe-login-pass=%s
> 
> If I had to guess, I'd bet there are some embedded keys for the VPN and
> I'd bet there are some ways to mess with the
> ws://127.0.0.1:36405/okayfreedomwebsocket interface (eg: perhaps by
> sending 'DOCHECK|attackerexample.com|0|DE' to it).
> 
> I'm guessing this is a reverse engineering project for a budding
> security person wishing to have a field day.
> 
> All the best,
> Jake
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 



More information about the liberationtech mailing list