Friday, April 20th, 2012
Recently there have been some allegations against Ultrasurf saying that the popular anonymizer might not be as safe as it claims. Jacob Appelbaum, developer at Tor, posted an in-depth review of the security issues he found with the service which allowed him to track down individual users.
Basically, Appelbaum reverse engineered the network using commercial software and found several vulnerabilities. He took his findings to Ultrasurf and spoke with them at length during a “quite positive” meeting where they planned to address the issues. This was in December, and Appelbaum has just now decided to go public with his findings. You can download the full report here.
The meat of the research is centered on Ultrasurf’s claims that their users are protected with anonymous searching, untraceable, unblockable, invisible (users don’t leave a trace), anonymous, and tamperproof. “The vulnerabilities presented in this paper are not merely theoretical in nature; they may present life-threatening danger in hostile situations. We recommend against the use of Ultrasurf for anonymity, security, privacy and Internet censorship circumvention.” Check out Tor’s blog for their side of the story.
Needless to say, these are some serious allegations. Ultrasurf responded. They assert that Tor’s claims were not valid, and that the problems had been fixed months ago. They did note that they appreciated Tor’s efforts in bringing the issues to light, but not the way in which it was handled. Ultrasurf claims that:
- Tor has not been able to break Ultrasurf. The paper asserts that it is possible to monitor the content of Ultrasurf sessions, but they have not been able to actually demonstrate this.
- Tor has only partly understood our security structure, and they have failed to break the core mechanisms for protection.
- In each case where Tor has indicated a security shortcoming in Ultrasurf, we have moved rapidly to address it and communicated this to Tor. However, their report failed to acknowledge these efforts.
- Tor repeatedly and knowingly makes false and outdated statements about Ultrasurf, which are detailed in our full response.
Kyle Williams also responded to Tor’s research with some of his own, and much harsher, reviews of Ultrasurf. He claims that the entire network is “total spyware,” complete with Trojans and connections to the U.S. government. Take a look here for his view.
Without further investigation it’s hard to decipher whether Tor’s claims completely take the rug out of Ultrasurf, or if Ultrasurf has, in fact, addressed all the issues. Either way, it becomes apparent that no matter which sites you chose to secure your privacy, you have to be very careful of the sites you use to do it. If the claims are true, Ultrasurf users may be at a severe risk. Be very careful when choosing your VPN providers, internet.