[liberationtech] uVirtus Linux, encrypted OS for Syria

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27/09/13 15:23, Lorenzo Franceschi -Bicchierai wrote:
> Thoughts?

The update feature of uVirtus's Sanctuary VPN (OpenVPN obfuscated with
obfsproxy) is a bit concerning. The source code has been removed from
Github, but judging by the description on the uVirtus site, the client
downloads an encrypted list of proxies from an update server. The list
is encrypted with a key that's baked into the client. No integrity
protection is mentioned.

(The choice of encryption algorithm is odd - "Password Based
Encryption with MD5 and Triple DES". Perhaps that's for compatibility
with very old export-restricted versions of Java?)

As far as I can tell (again, going by the description on the site),
someone with access to a copy of the client could extract the
encryption key and forge a list of proxies. The forged list could then
be substituted for the real list by intercepting connections to the
update server, causing other clients to connect to proxies controlled
by the attacker.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSRcuGAAoJEBEET9GfxSfMPF4H/33xwYjOILGmG0psGHfdubq8
f1ZR9Cr7ghetRyRx1gNvrCxh2xBygSA9fUZA+GXJveZBzc4X95aDjhmQKNtvXdhC
zHrymKc6YQo/ijeE2uVpbbiJks+VVoTEqstF/bu6es+j+/SMUNenrzg2z7zkM7IQ
eAGS7Y7ge8qkyMT0KEmD2rtpGBaFjyKY5NEf0KjCtcrAoD08hycrvzuN8cYL7IDa
g+TLsfgtukMMw976qVrULkC+VrgYvuUOVyVNXO3VFBiTaYpdnb/XCXaK7KwSBF2X
aNxqr1+FEt/es9eTd3STAK3zKqf+g+2zq9N2qHYzLnW1dnl1h7E8al36w5RVOsk=
=O8FP
-----END PGP SIGNATURE-----