[liberationtech] OkayFreedom
Nadim Kobeissi
nadim at nadim.cc
Sat Oct 27 14:47:53 PDT 2012
Nice analysis. Pursuant to this, I think downgrading this project from
OkayFreedom to MehFreedom would be more suitable.
NK
On 10/27/2012 1:58 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>> It would serve us all well to remember, when discussing such technologies
>> in the future, to always ask ourselves these standard questions (or these
>> questions that should be standardized:)
>
> I agree about your questions and I'd suggest they are too limited. I
> would add these (as a general set of thoughts - this isn't inclusive):
>
> Is it Free software?
> Do they comply with the Free Software licenses?
> Is it documented in any meaningful manner?
> Is there another independent implementation, if a new/custom protocol?
> Does it have any proprietary components? What are they?
> Does it use a centralized system? Which ones?
> Are users able to measure any properties of the system?
> Does it have a policy about interception?
> Does it have a policy about legal data requests?
>
> The list goes on but I'd rather skip to look at the thing itself. I
> added some notes on it below this text...
>
>>
>> A1. How much trust do I need to invest in the integrity and statements of
>> *people* in order for this service to be secure?
>> A2. What initiatives have those people taken to detach the project's
>> security from their personal effects?
>> A3. Is the infrastructure centralized? IHow valuable is its compromise to
>> an antagonist?
>> A4. Will my privacy be affected by changing tides of geopolitics if I rely
>> on this service?
>>
>> These questions can truly act as a time-saving model. That being said, I
>> also have some technical qualms with OkayFreedom after briefly analyzing it:
>>
>> B1. OkayFreedom, an anonymity service, harvests information on its users
>> via Google Analytics.
>> B2. OkayFreedom software is offered for download via HTTP and not HTTPS. It
>> is trivial for Iranian authorities to fatally exploit this.
>> B3. OkayFreedom does not make its source code available for audit by
>> security experts. This is seriously unscientific and provides no manner for
>> an empirical justification of privacy promises. This sort of thing makes
>> questions sch as A1 yield dangerous answers.
>> B4. OkayFreedom places cookies, or identifying information, inside user's
>> browsers, which may of use by antagonist computer forensic entities.
>> B5. OkayFreedom shows advertising to its users; the advertising code is
>> provided by third parties and may contain its own identifying code. This is
>> a frequent hole.
>> B6. OkayFreedom mandatorily asks for my email address and makes it clear
>> that it will share it with commercial sponsors. This is not anonymous.
>> B7. OkayFreedom's installation process is unusually pervasive: The
>> software, a closed-source binary, injects code into all installed web
>> browsers and installs a network device driver. Coupled with its highly
>> insecure mode of delivery outlined in B2, this could indeed have disastrous
>> consequences.
>>
>
> Hilariously, they warn you to disable OkayFreedom before asking for
> payment at store2.esellerate.net via HTTPS (
> http://www.okayfreedom.com/interstitial.php?language=en&url=https%3A%2F%2Fsecure.esellerate.net%2Fsecure%2Fprefill.aspx%3Fcmd%3DBUY%26s%3DSTR2099870388%26_cartitem0.SkuRefNum%3DSKU60761706070%26_cartItem0.quantity%3D1%26_cartItem1.SkuRefNum%3DSKU13452973799%26_cartItem1.quantity%3D0%26_cartItem2.SkuRefNum%3DSKU66143195918%26_cartItem2.quantity%3D0%26_cartItem3.SkuRefNum%3DSKU18834812186%26_cartItem3.quantity%3D0%26_Shopper.Language%3DEnglish%26_Shopper.Currency%3DUSD%26_Shopper.BillingCountryCode%3DUS%26_Custom.Data1%3Den%26page%3DOnePageCart.htm
> ):
>
> Please deactivate OkayFreedom now
> If you are already using OkayFreedom, click "Off" in the OkayFreedom
> menu. You don't have to quit OkayFreedom. Otherwise, your purchase
> can probably not be processed. Thank you.
>
> I also love that you can change those url parameters to whatever you'd
> like (as it doesn't use HTTPS or check things internally), eg:
>
>
> http://www.okayfreedom.com/interstitial.php?language=en&url=https://crypto.cat
>
> On install it appears to open a connection to 37.208.111.121 (
> http://www.okayfreedom.com./ ) on port 80 after collecting a user's
> email address. It appears to dwonload okayfreedom.exe by opening a
> connection to file.steganos.com
> http://www.steganos.com/us/products/overview/ - it then runs it
> instantly. So uh, I'm guessing Hello EvilGrade code execution?
>
> I noticed that someone already scanned it for issues on VirusTotal:
> https://www.virustotal.com/file/46119727a4ebba59596c7ead9b1e5be9aa79518e78d5494b08fe8217f0b4cc94/analysis/
>
> I uploaded both files that I encountered.
>
> This is the file for download from the web:
> https://www.virustotal.com/file/2771d24f23549ad46047b425af169edb9fc1fd76e4ceb6aa9217fefd550b1c18/analysis/1351353504/
>
> This is the actual payload it downloads and runs as the installer:
> https://www.virustotal.com/file/26dd85c8936f2e2264981bcb08bf7fa1a729068c990be23f93bd05db73c73fa1/analysis/1351353535/
>
> It appears that it tries to install a TAP device managed by
> VPNService.exe - it appears to be the Steganos VPNClient. It touches a
> lot of data on the drive - registry keys and a lot more.
>
> I presume that this is the software package they rebrand:
>
>
> http://www.steganos.com/us/products/secure-surfing/internet-anonym/overview/
>
> It installs these files:
>
> Base.res RenameTAP.exe
> ChannelDefault.res ResetPendingMoves.exe
> LibShred.dll ServiceControl.exe
> LocalServerConsole.exe ShutdownApp.exe
> LocalServerConsole.vshost.exe SIAVPN2Client.res
> LocalServerConsole.vshost.exe.manifest sqlite3.dll
> OkayFreedomClient.exe SteganosUI.res
> OkayFreedomClient.res Tleilaxu.res
> okayfreedom.crx toggleds.exe
> okayfreedom_ff VPNService.exe
> okayfreedom_ff.xpi XVPNClient_OKAYFREEDOM.res
> OKAYFREEDOM.res XVPNClient.res
> OkayFreedomUpdater.res XVPNClient_SIAVPN.res
> openvpn XVPNClient_SVPNP.res
> openvpn64 XVPNClient_SVPN.res
> prodid XVPNClient_XVPN.res
>
> LibShred.dll appears to be this GPL project:
>
> http://sourceforge.net/projects/libshred/
>
> I uploaded a few of those files here:
>
> https://www.virustotal.com/file/d29dfad73be78d00f0b8fe535c20939eb4b632102e1c250d37b211bc915f82c9/analysis/1351354357/
>
> https://www.virustotal.com/file/6cfb058b4151f59e6a7da545ca4553f47b24221a255ea5c594c4851b8370040f/analysis/1351354411/
>
> https://www.virustotal.com/file/23ad5dde8dcbca2af2de6af7b3e859b06c26de6a2409c1763c24f89980a89dbc/analysis/1351354492/
>
> I found that openvpn/Steganos.txt contains this:
>
> Applied Patches:
> ONSA.patch for Steganos OnlineSafe
> AVPN.patch for Steganos Internet Anonym VPN
> SVPN.patch for Steganos Secure VPN
>
> So it looks like they modify OpenVPN before they distribute it.
> Hilariously the OpenVPN license (
> http://openvpn.net/index.php/license.html ) and other related software
> is crazy complicated. Some of it is GPL, some BSD, some GPL with special
> exceptions, etc.
>
> The ChangeLog included is hilariously old:
>
>
> $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $
>
> 2006.10.01 -- Version 2.0.9
>
> * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
> published vulnerabilities.
>
> * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
> (Henry Nestler). The TAP-Win32 driver has now been
> upgraded to version 8.4.
>
> I sure hope that isn't the version of OpenSSL they're using! The newest
> binary appears to have been built on 2011-04-26 (openvpn.exe) while
> (openssl.exe) was built on 2009-09-17. Likely some bad bugs in those two
> together...
>
> They also include two web browser plugins (okayfreedom_ff.xpi and
> okayfreedom.crx) - so I guess their browser plugins are... easy softspots.
>
> Here is the Firefox url for update checking:
>
> https://www.steganos.com/updates/okayfreedom/update_okayfreedom_ff.rdf
>
> The actual firefox xpi is here:
>
> https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xpi
>
> Info for Firefox is here:
>
> https://www.steganos.com/updates/okayfreedom/okayfreedom_ff.xhtml
>
> The Chrome extension is permissive:
>
> "permissions": [
> "tabs",
> "http://*/*",
> "https://*/*"
> ],
>
> It updates at this url:
>
> https://www.steganos.com/updates/okayfreedom/update_okayfreedom.xml
>
> It looks also like it opens a connection (this is in both) to some kind
> of controller:
>
> var port = "36405";
> var url = "ws://127.0.0.1:" + port + "/okayfreedomwebsocket";
>
>
> It also appears that OkayFreedomClient.exe might run polipo:
>
> ~/Steganos/polipo/config
> ~/ArchiCrypt/polipo/config
>
> It looks like this software is probably vulnerable to the attacks I
> mentioned in our vpwned FOCI12 paper, as well as other things. I'd love
> a confirmation from a Windows user who cares enough to test it. I guess
> beta at okayfreedom.com might be a good places to report it, I extracted
> that from OkayFreedomClient.exe, so it might be a bit old.
>
> There are some other things in that binary that made me laugh a bit:
>
> /?api=1&lang=%s&cmd=register_account&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off
>
> /?api=1&lang=%s&cmd=register_plus&user=%s&pass=%s&pass-cfrm=%s&email=%s&newsletter=off&key=%s
>
> /?api=1&lang=%s&cmd=login&fe-login-user=%s&fe-login-pass=%s
>
> If I had to guess, I'd bet there are some embedded keys for the VPN and
> I'd bet there are some ways to mess with the
> ws://127.0.0.1:36405/okayfreedomwebsocket interface (eg: perhaps by
> sending 'DOCHECK|attackerexample.com|0|DE' to it).
>
> I'm guessing this is a reverse engineering project for a budding
> security person wishing to have a field day.
>
> All the best,
> Jake
> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
More information about the liberationtech
mailing list