Search Mailing List Archives
nadim at nadim.cc
Sat Oct 27 14:47:53 PDT 2012
Nice analysis. Pursuant to this, I think downgrading this project from
OkayFreedom to MehFreedom would be more suitable.
On 10/27/2012 1:58 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>> It would serve us all well to remember, when discussing such technologies
>> in the future, to always ask ourselves these standard questions (or these
>> questions that should be standardized:)
> I agree about your questions and I'd suggest they are too limited. I
> would add these (as a general set of thoughts - this isn't inclusive):
> Is it Free software?
> Do they comply with the Free Software licenses?
> Is it documented in any meaningful manner?
> Is there another independent implementation, if a new/custom protocol?
> Does it have any proprietary components? What are they?
> Does it use a centralized system? Which ones?
> Are users able to measure any properties of the system?
> Does it have a policy about interception?
> Does it have a policy about legal data requests?
> The list goes on but I'd rather skip to look at the thing itself. I
> added some notes on it below this text...
>> A1. How much trust do I need to invest in the integrity and statements of
>> *people* in order for this service to be secure?
>> A2. What initiatives have those people taken to detach the project's
>> security from their personal effects?
>> A3. Is the infrastructure centralized? IHow valuable is its compromise to
>> an antagonist?
>> A4. Will my privacy be affected by changing tides of geopolitics if I rely
>> on this service?
>> These questions can truly act as a time-saving model. That being said, I
>> also have some technical qualms with OkayFreedom after briefly analyzing it:
>> B1. OkayFreedom, an anonymity service, harvests information on its users
>> via Google Analytics.
>> B2. OkayFreedom software is offered for download via HTTP and not HTTPS. It
>> is trivial for Iranian authorities to fatally exploit this.
>> B3. OkayFreedom does not make its source code available for audit by
>> security experts. This is seriously unscientific and provides no manner for
>> an empirical justification of privacy promises. This sort of thing makes
>> questions sch as A1 yield dangerous answers.
>> B4. OkayFreedom places cookies, or identifying information, inside user's
>> browsers, which may of use by antagonist computer forensic entities.
>> B5. OkayFreedom shows advertising to its users; the advertising code is
>> provided by third parties and may contain its own identifying code. This is
>> a frequent hole.
>> B6. OkayFreedom mandatorily asks for my email address and makes it clear
>> that it will share it with commercial sponsors. This is not anonymous.
>> B7. OkayFreedom's installation process is unusually pervasive: The
>> software, a closed-source binary, injects code into all installed web
>> browsers and installs a network device driver. Coupled with its highly
>> insecure mode of delivery outlined in B2, this could indeed have disastrous
> Hilariously, they warn you to disable OkayFreedom before asking for
> payment at store2.esellerate.net via HTTPS (
> Please deactivate OkayFreedom now
> If you are already using OkayFreedom, click "Off" in the OkayFreedom
> menu. You don't have to quit OkayFreedom. Otherwise, your purchase
> can probably not be processed. Thank you.
> I also love that you can change those url parameters to whatever you'd
> like (as it doesn't use HTTPS or check things internally), eg:
> On install it appears to open a connection to 184.108.40.206 (
> http://www.okayfreedom.com./ ) on port 80 after collecting a user's
> email address. It appears to dwonload okayfreedom.exe by opening a
> connection to file.steganos.com
> http://www.steganos.com/us/products/overview/ - it then runs it
> instantly. So uh, I'm guessing Hello EvilGrade code execution?
> I noticed that someone already scanned it for issues on VirusTotal:
> I uploaded both files that I encountered.
> This is the file for download from the web:
> This is the actual payload it downloads and runs as the installer:
> It appears that it tries to install a TAP device managed by
> VPNService.exe - it appears to be the Steganos VPNClient. It touches a
> lot of data on the drive - registry keys and a lot more.
> I presume that this is the software package they rebrand:
> It installs these files:
> Base.res RenameTAP.exe
> ChannelDefault.res ResetPendingMoves.exe
> LibShred.dll ServiceControl.exe
> LocalServerConsole.exe ShutdownApp.exe
> LocalServerConsole.vshost.exe SIAVPN2Client.res
> LocalServerConsole.vshost.exe.manifest sqlite3.dll
> OkayFreedomClient.exe SteganosUI.res
> OkayFreedomClient.res Tleilaxu.res
> okayfreedom.crx toggleds.exe
> okayfreedom_ff VPNService.exe
> okayfreedom_ff.xpi XVPNClient_OKAYFREEDOM.res
> OKAYFREEDOM.res XVPNClient.res
> OkayFreedomUpdater.res XVPNClient_SIAVPN.res
> openvpn XVPNClient_SVPNP.res
> openvpn64 XVPNClient_SVPN.res
> prodid XVPNClient_XVPN.res
> LibShred.dll appears to be this GPL project:
> I uploaded a few of those files here:
> I found that openvpn/Steganos.txt contains this:
> Applied Patches:
> ONSA.patch for Steganos OnlineSafe
> AVPN.patch for Steganos Internet Anonym VPN
> SVPN.patch for Steganos Secure VPN
> So it looks like they modify OpenVPN before they distribute it.
> Hilariously the OpenVPN license (
> http://openvpn.net/index.php/license.html ) and other related software
> is crazy complicated. Some of it is GPL, some BSD, some GPL with special
> exceptions, etc.
> The ChangeLog included is hilariously old:
> $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $
> 2006.10.01 -- Version 2.0.9
> * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
> published vulnerabilities.
> * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
> (Henry Nestler). The TAP-Win32 driver has now been
> upgraded to version 8.4.
> I sure hope that isn't the version of OpenSSL they're using! The newest
> binary appears to have been built on 2011-04-26 (openvpn.exe) while
> (openssl.exe) was built on 2009-09-17. Likely some bad bugs in those two
> They also include two web browser plugins (okayfreedom_ff.xpi and
> okayfreedom.crx) - so I guess their browser plugins are... easy softspots.
> Here is the Firefox url for update checking:
> The actual firefox xpi is here:
> Info for Firefox is here:
> The Chrome extension is permissive:
> "permissions": [
> It updates at this url:
> It looks also like it opens a connection (this is in both) to some kind
> of controller:
> var port = "36405";
> var url = "ws://127.0.0.1:" + port + "/okayfreedomwebsocket";
> It also appears that OkayFreedomClient.exe might run polipo:
> It looks like this software is probably vulnerable to the attacks I
> mentioned in our vpwned FOCI12 paper, as well as other things. I'd love
> a confirmation from a Windows user who cares enough to test it. I guess
> beta at okayfreedom.com might be a good places to report it, I extracted
> that from OkayFreedomClient.exe, so it might be a bit old.
> There are some other things in that binary that made me laugh a bit:
> If I had to guess, I'd bet there are some embedded keys for the VPN and
> I'd bet there are some ways to mess with the
> ws://127.0.0.1:36405/okayfreedomwebsocket interface (eg: perhaps by
> sending 'DOCHECK|attackerexample.com|0|DE' to it).
> I'm guessing this is a reverse engineering project for a budding
> security person wishing to have a field day.
> All the best,
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
More information about the liberationtech