Increase of users in Ukraine due to block of Russia-based services

added block censorship component::circumvention/censorship analysis owner::metrics-team priority::medium resolution::wontfix severity::normal status::closed type::project ua labels

Trac:

A large fraction of the increase may be attributable to the use of FreeU Browser (https://freeu.online/ or https://freeu.zone/), a browser containing Tor. The browser was produced by Mail.ru and prominently featured on VKontakte starting 2017-05-20.

https://tjournal.ru/44669-vkontakte-predlozhila-ukraincam-peredelannii-brauzer-amigo-s-tor-dlya-obhoda-blokirovok (archive link)

Approximately on May 20, "VKontakte" began to offer users from Ukraine to install a desktop FreeU browser to bypass the locks of Russian social networks. ... The browser was also promoted with advertising posts in "VKontakte", "Twitter" and "Classmates", as well as through banners on YouTube. ... On its website FreeU is positioned as a browser "with access to blocked sites and social networks". ... As explained by TJ developer from a major Russian company, the code for FreeU shows that this is actually a reworked browser "Amigo" with built-in technology Tor.

valdikss inspected the bundle and found a tor executable renamed to freeu_helper, along with torrc and other dependencies:

The article also says that the browser only unblocks some sites (maybe those operated by Mail.ru) and not others. Presumably they have a proxy configuration that only sends some domains through the tor proxy.

FreeU gives access only to blocked sites in Ukraine. If you use it in Russia, it does not give you access to resources included in the Roskomnadzor blacklist. In the "Amigo" function there is no circumvention of the restriction of access to sites and blocker advertising.

cacahuatl found a script that generates a PAC file to send certain domains through the SOCKS proxy at 127.0.0.1:9050 and do others DIRECT:

freeu_setup.exe
- Chrome.7z
  - Chrome-bin/56.1.2924.38/amigo_resources.pak/background.js

var BASE_PROXY_CONFIG = { scope: 'regular' };

var JSON_HOSTS = ['updtbrwsr.com', 'updtapi.com', 'brwsrapi.com', 'mrbrwsr.com', 'savebrwsr.com', 'svbrwsr.com'];

var generateProxyConfig = function generateProxyConfig(hostnames) {
  return {
    mode: 'pac_script',
    pacScript: {
      data: '\n      function FindProxyForURL(url, host) {\n        const blackList = [' + hostnames.map(function (i) {
        return '"' + i + '"';
      }).join(',') + '];\n        for (let item of blackList) {\n          if (dnsDomainIs(host, item))\n            return \'SOCKS5 ' + '127.0.0.1' + ':' + 9050 + '\';\n        }\n        return \'DIRECT\';\n      }\n    '
    }
  };
};

Replying to dcf:

A large fraction of the increase may be attributable to the use of FreeU Browser, a browser containing Tor

Three observations:

A) If many of the new users are because of this browser, and if the browser only sends requests for a few domains through Tor, then we have a lot of new Tor clients that mostly aren't adding load to the network. Sounds fine to me.

B) I'm happy, not sad, that they aren't shouting "and this browser uses Tor!" along with the release. This way nobody gets confused about what security properties they do or don't get, since the browser side doesn't contain any of the privacy fixes done by Tor Browser: https://www.torproject.org/projects/torbrowser/design/

C) Does this mean that mail.ru is committing to supporting connections via Tor? So when people ask for good free webmail services that work with Tor, we should point them to mail.ru? :)

Trac:

Screenshot showing some contents of the FreeU browser, https://i.imgur.com/11pW7Vg.png from valdikss.

cachuatl found code that looks like it's fetching an obfuscated whitelist of sites to proxy through tor, and deobfuscating it:

fetchBlackListJson.js\ Retrieves !https://update. host /blckd.json for values of host in ['updtbrwsr.com', 'updtapi.com', 'brwsrapi.com', 'mrbrwsr.com', 'savebrwsr.com', 'svbrwsr.com'].

var decryptJson = function decryptJson(str) {
  var xorc = (0, _xorc2.default)(1234567890);
  return JSON.parse(xorc.decrypt(str));
};

exports.default = function (salt) {
  var randomMin = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : 100;
  var randomMax = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : 100;

  var saltInt = parseInt(salt);

  if (salt) {
    if (!saltInt) {
      throw new Error('Salt is not a Number');
    }
    salt = saltInt;
  } else {
    salt = Math.round(Math.random() * (randomMax - randomMin) + randomMin);
  }

  return {
    encrypt: function encrypt(str) {
      var result = '';
      for (var i = 0, n = str.length; i < n; i++) {
        result += String.fromCharCode(salt ^ str.charCodeAt(i));
      }
      return result;
    },
    decrypt: function decrypt(hash) {
      var result = '';
      for (var i = 0, n = hash.length; i < n; i++) {
        result += String.fromCharCode(salt ^ hash.charCodeAt(i));
      }
      return result;
    }
  };
};

A sample obfuscated download:

https://update.updtbrwsr.com/blckd.json (archive link)\ (https://updtbrwsr.com/blckd.json (archive link) also works).
blckd.json

Trac:
fetchBlackListJson.js

fetchBlackListJson function found by cacahuatl.

Trac:
blckd.json

Obfuscated blckd.json just now downloaded from https://update.updtbrwsr.com/blckd.json (Last-Modified: Tue, 23 May 2017 23:36:12 GMT).

cacahuatl wrote a deobfuscator and produced this output:

blckd.json.decoded

Deobfuscator source code:

import requests
hosts = ['updtbrwsr.com', 'updtapi.com', 'brwsrapi.com', 'mrbrwsr.com', 'savebrwsr.com', 'svbrwsr.com']
salt = 1234567890
for host in hosts:
	r = requests.get('https://update.{}/blckd.json'.format(host))
	j = b""
	for c in r.text:
		j += bytes([(ord(c) ^ salt) & 0xff])
	print("%s" % j.decode('utf-8'))

The decoded file looks like this (abridged):

{
  "records": [
    {
      "host": "vk.com",
      "endpoint": "http://vk.com/ping.txt",
      "hash": "b5b607d573e6a901ef215db6b1247404c92bb9ce"
    },
  ...
    "mail.ru"
  ],
  "defaults": {
    "endpoint": "http://vk.com/ping.txt",
    "hash": "b5b607d573e6a901ef215db6b1247404c92bb9ce"
  }
}

The list of hosts in the lone "mail.ru" record contains these domains:

vk.com
vkontakte.ru
vk.me
vk.cc
ok.ru
odnoklassniki.ru
odnoklassniki.ua
ok.me
vk-cdn.net
userapi.com

Trac:
blckd.json.decoded

Replying to dcf:

cacahuatl wrote a deobfuscator and produced this output:

blckd.json.decoded

Each of the hosts has an associated endpoint and hash. There are only two distinct values of endpoint and hash:

  "records": [
    {
      "host": "vk.com",
      "endpoint": "http://vk.com/ping.txt",
      "hash": "b5b607d573e6a901ef215db6b1247404c92bb9ce"
    },
    ...
    {
      "host": "ok.ru",
      "endpoint": "http://ok.ru/google55e918a7d2970a76.html",
      "hash": "526aabc2501699fdcfe5c58f98db82eed849c904"
    },
    ...

The hash is the sha1sum of what you get if you fetch those two URLs.

http://vk.com/ping.txt

WulbqygHXe
idjxMb2pJF
qORaQtmSWo
SF32HldC2U
dMVhUpEEbt
LwBNJubmVq
j03L2D3Lyp
z9z76x6caZ
z2Vv7uVT1M
phZwKcVHVT

http://ok.ru/google55e918a7d2970a76.html

google-site-verification: google55e918a7d2970a76.html

cacahuatl found verifyDomain and init functions that look related:

It looks like they fetch each of the endpoint URLs and compare the result to hash. If it differs from what is expected, the host is marked as needing to be proxied in the PAC file. If none of the hashes differ from what is expected, then it doesn't even start the tor proxy.

Trac:
verifyDomain.js

https://paste.debian.net/939242/ from cacahuatl.

Trac:
init.js

https://paste.debian.net/939244/ from cacahuatl.

Increase of users in Ukraine due to block of Russia-based services

Child items 0

Activity