[liberationtech] OkayFreedom

Jacob Appelbaum jacob at appelbaum.net
Sat Oct 27 10:58:21 PDT 2012 

Nadim Kobeissi:
> It would serve us all well to remember, when discussing such technologies
> in the future, to always ask ourselves these standard questions (or these
> questions that should be standardized:)

I agree about your questions and I'd suggest they are too limited. I
would add these (as a general set of thoughts - this isn't inclusive):

  Is it Free software?
  Do they comply with the Free Software licenses?
  Is it documented in any meaningful manner?
  Is there another independent implementation, if a new/custom protocol?
  Does it have any proprietary components? What are they?
  Does it use a centralized system? Which ones?
  Are users able to measure any properties of the system?
  Does it have a policy about interception?
  Does it have a policy about legal data requests?

The list goes on but I'd rather skip to look at the thing itself. I
added some notes on it below this text...

> 
> A1. How much trust do I need to invest in the integrity and statements of
> *people* in order for this service to be secure?
> A2. What initiatives have those people taken to detach the project's
> security from their personal effects?
> A3. Is the infrastructure centralized? IHow valuable is its compromise to
> an antagonist?
> A4. Will my privacy be affected by changing tides of geopolitics if I rely
> on this service?
> 
> These questions can truly act as a time-saving model. That being said, I
> also have some technical qualms with OkayFreedom after briefly analyzing it:
> 
> B1. OkayFreedom, an anonymity service, harvests information on its users
> via Google Analytics.
> B2. OkayFreedom software is offered for download via HTTP and not HTTPS. It
> is trivial for Iranian authorities to fatally exploit this.
> B3. OkayFreedom does not make its source code available for audit by
> security experts. This is seriously unscientific and provides no manner for
> an empirical justification of privacy promises. This sort of thing makes
> questions sch as A1 yield dangerous answers.
> B4. OkayFreedom places cookies, or identifying information, inside user's
> browsers, which may of use by antagonist computer forensic entities.
> B5. OkayFreedom shows advertising to its users; the advertising code is
> provided by third parties and may contain its own identifying code. This is
> a frequent hole.
> B6. OkayFreedom mandatorily asks for my email address and makes it clear
> that it will share it with commercial sponsors. This is not anonymous.
> B7. OkayFreedom's installation process is unusually pervasive: The
> software, a closed-source binary, injects code into all installed web
> browsers and installs a network device driver. Coupled with its highly
> insecure mode of delivery outlined in B2, this could indeed have disastrous
> consequences.
> 

Hilariously, they warn you to disable OkayFreedom before asking for
payment at store2.esellerate.net via HTTPS (
http://www.okayfreedom.com/interstitial.php?language=en&url=https%3A%2F%2Fsecure.esellerate.net%2Fsecure%2Fprefill.aspx%3Fcmd%3DBUY%26s%3DSTR2099870388%26_cartitem0.SkuRefNum%3DSKU60761706070%26_cartItem0.quantity%3D1%26_cartItem1.SkuRefNum%3DSKU13452973799%26_cartItem1.quantity%3D0%26_cartItem2.SkuRefNum%3DSKU66143195918%26_cartItem2.quantity%3D0%26_cartItem3.SkuRefNum%3DSKU18834812186%26_cartItem3.quantity%3D0%26_Shopper.Language%3DEnglish%26_Shopper.Currency%3DUSD%26_Shopper.BillingCountryCode%3DUS%26_Custom.Data1%3Den%26page%3DOnePageCart.htm
):

  Please deactivate OkayFreedom now
  If you are already using OkayFreedom, click "Off" in the OkayFreedom
  menu. You don't have to quit OkayFreedom. Otherwise, your purchase
  can probably not be processed. Thank you.

I also love that you can change those url parameters to whatever you'd
like (as it doesn't use HTTPS or check things internally), eg:


http://www.okayfreedom.com/interstitial.php?language=en&url=https://crypto.cat

On install it appears to open a connection to 37.208.111.121 (
http://www.okayfreedom.com./ ) on port 80 after collecting a user's
email address. It appears to dwonload okayfreedom.exe by opening a
connection to file.steganos.com
http://www.steganos.com/us/products/overview/ - it then runs it
instantly. So uh, I'm guessing Hello EvilGrade code execution?

I noticed that someone already scanned it for issues on VirusTotal:
https://www.virustotal.com/file/46119727a4ebba59596c7ead9b1e5be9aa79518e78d5494b08fe8217f0b4cc94/analysis/

I uploaded both files that I encountered.

This is the file for download from the web:
https://www.virustotal.com/file/2771d24f23549ad46047b425af169edb9fc1fd76e4ceb6aa9217fefd550b1c18/analysis/1351353504/

This is the actual payload it downloads and runs as the installer:
https://www.virustotal.com/file/26dd85c8936f2e2264981bcb08bf7fa1a729068c990be23f93bd05db73c73fa1/analysis/1351353535/

It appears that it tries to install a TAP device managed by
VPNService.exe - it appears to be the Steganos VPNClient. It touches a
lot of data on the drive - registry keys and a lot more.

I presume that this is the software package they rebrand:


http://www.steganos.com/us/products/secure-surfing/internet-anonym/overview/

It installs these files:

Base.res				RenameTAP.exe
ChannelDefault.res			ResetPendingMoves.exe
LibShred.dll				ServiceControl.exe
LocalServerConsole.exe			ShutdownApp.exe
LocalServerConsole.vshost.exe		SIAVPN2Client.res
LocalServerConsole.vshost.exe.manifest	sqlite3.dll
OkayFreedomClient.exe			SteganosUI.res
OkayFreedomClient.res			Tleilaxu.res
okayfreedom.crx				toggleds.exe
okayfreedom_ff				VPNService.exe
okayfreedom_ff.xpi			XVPNClient_OKAYFREEDOM.res
OKAYFREEDOM.res				XVPNClient.res
OkayFreedomUpdater.res			XVPNClient_SIAVPN.res
openvpn					XVPNClient_SVPNP.res
openvpn64				XVPNClient_SVPN.res
prodid					XVPNClient_XVPN.res

LibShred.dll appears to be this GPL project:

  http://sourceforge.net/projects/libshred/

I uploaded a few of those files here:

https://www.virustotal.com/file/d29dfad73be78d00f0b8fe535c20939eb4b632102e1c250d37b211bc915f82c9/analysis/1351354357/

https://www.virustotal.com/file/6cfb058b4151f59e6a7da545ca4553f47b24221a255ea5c594c4851b8370040f/analysis/1351354411/

https://www.virustotal.com/file/23ad5dde8dcbca2af2de6af7b3e859b06c26de6a2409c1763c24f89980a89dbc/analysis/1351354492/

I found that openvpn/Steganos.txt contains this:

Applied Patches:
        ONSA.patch for Steganos OnlineSafe
        AVPN.patch for Steganos Internet Anonym VPN
        SVPN.patch for Steganos Secure VPN

So it looks like they modify OpenVPN before they distribute it.
Hilariously the OpenVPN license (
http://openvpn.net/index.php/license.html ) and other related software
is crazy complicated. Some of it is GPL, some BSD, some GPL with special
exceptions, etc.

The ChangeLog included is hilariously old:


  $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $

  2006.10.01 -- Version 2.0.9

  * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
    published vulnerabilities.

  * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
    (Henry Nestler).  The TAP-Win32 driver has now been
    upgraded to version 8.4.

I sure hope that isn't the version of OpenSSL they're using! The newest
binary appears to have been built on 2011-04-26 (openvpn.exe) while
(openssl.exe) was built on 2009-09-17. Likely some bad bugs in those two
together...

They also include two web browser plugins (okayfreedom_ff.xpi and
okayfreedom.crx) - so I guess their browser plugins are... easy softspots.

Here is the Firefox url for update checking:

 https://www.steganos.com/updates/okayfreedom/update_okayfreedom_ff.rdf

The actual firefox xpi is here:

 https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xpi

Info for Firefox is here:

 https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xhtml

The Chrome extension is permissive:

  "permissions": [
	"tabs",
    "http://*/*",
    "https://*/*"
  ],

It updates at this url:

  https://www.steganos.com/updates/okayfreedom/update_okayfreedom.xml

It looks also like it opens a connection (this is in both) to some kind
of controller:

 var port = "36405";
 var url = "ws://127.0.0.1:" + port + "/okayfreedomwebsocket";


It also appears that OkayFreedomClient.exe might run polipo:

~/Steganos/polipo/config
~/ArchiCrypt/polipo/config

It looks like this software is probably vulnerable to the attacks I
mentioned in our vpwned FOCI12 paper, as well as other things. I'd love
a confirmation from a Windows user who cares enough to test it. I guess
beta at okayfreedom.com might be a good places to report it, I extracted
that from OkayFreedomClient.exe, so it might be a bit old.

There are some other things in that binary that made me laugh a bit:

/?api=1&lang=%s&cmd=register_account&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off

/?api=1&lang=%s&cmd=register_plus&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off&key=%s

/?api=1&lang=%s&cmd=login&fe-login-user=%s&fe-login-pass=%s

If I had to guess, I'd bet there are some embedded keys for the VPN and
I'd bet there are some ways to mess with the
ws://127.0.0.1:36405/okayfreedomwebsocket interface (eg: perhaps by
sending 'DOCHECK|attackerexample.com|0|DE' to it).

I'm guessing this is a reverse engineering project for a budding
security person wishing to have a field day.

All the best,
Jake

More information about the liberationtech mailing list