Skip to content

Ultrasurf: review; a comment

13. May 2012

I better write about it before it gets too old.

The Tor Project has reviewed the Ultrasurf software. You can read about it here.

Please read the blog entry and the review (PDF) and the response of UltraReach (the company behind UltraSurf)

You can call me biased toward Tor, and that’s most likely very true.

What I want to point out is that it is important how you present you and your product(s).


“Ultrasurf enables users to browse any website freely” — refuted in Section 3.1

This was refuted because UltraSurf actively blocks one from accessing certain websites. Usually involving adult content. While they could have told you, they did not.

“employs a decoying mechanism to thwart any tracing effort of its communication with its infrastructure.” — refuted in Section 5.13

This was refuted because they use the Internet Explorer to fetch faux PGP messages from third-party resources and seem traceable.

“Protect your privacy online with anonymous surfing and browsing. Ultrasurf hides your IP address, clears browsing history, cookies, and more.” — refuted in Section 6.2 and Section 6.3.

This was refuted mainly because of this:

By default the Ultrasurf client launches an instance of Internet Explorer that visits the Ultrasurf homepage. The URL
loaded includes a unique argument at the end of each URL for each visit. Upon visiting this home page, every visitor
is tagged with a Google Analytics cookie. When combined with the Google cookie and known server logging [6]
information, it appears to individually tag visiting users in a way that creates major privacy concerns.

“change IP addresses a million times an hour” — refuted in Section 6.1

This just could not be observed.

“Untraceable” — refuted in Section 6.10

The network itself collects enough data, users can be traced.

“Unblockable: Client uses wide array of discovery mechanisms to find an available proxy server and, when necessary, to switch/hop to avoid tracking/blocking” — refuted in Section 6.8

The analyst didn’t get it to work in certain places. Well that can happen. Software and blocking is subject to change.

“Invisible: Leaves no traces on the user’s computer, and its traffic is indistinguishable from normal access to HTTPS sites” — refuted in Section 5.12

It makes modifications to the system and therefor leaves indeed traces. The second part might be false as well.

“Anonymous: No registration is requires [sic], and no personally identifying information collected” — refuted in Section 6.10

They collect data. Really.

“Tamperproof: Using privately-signed SSL certificates which dont depend on external, potentially compromised CAs (thus preempting MITM attacks), Ultrasurf proactively detects attempts by censors to reverse-engineer, sabotage, or otherwise interfere in the secure operation of the tool” — refuted in Section 5.8.

Since they fetch from external resources where https is included, but not the certificate is not checked, they are simply not relying on CAs, they are ignoring them.

I’m not going to comment on the analysis, there are many things that are not how they should be, software wise, but I don’t care about them here.

It’s the same thing with many other things.

– “Our servers have 100% up-time”

– “This on-screen-keyboard is 100% key-logger safe”

– “100% success rate”

Don’t claim what you can’t keep!

I think the Tor Project  is good at this. They tell what Tor does, and what Tor doesn’t. Their bugs can be looked up, their source gets reviewed by many people.

They recommend the TorBrowserBundle because so many things can go wrong, with the default browser.


From → General

One Comment

Trackbacks & Pingbacks

  1. Ultrasurf review | Myvinylexpress

Comments are closed.

%d bloggers like this: