An Internet tool to shield Chinese dissidents from their government seems to do just the opposite and also probes in the US, Canada and Taiwan, according to research presented at Black Hat.
UltraSurf software is promoted as a means to proxy Internet traffic so that when it arrives at its destination forensic experts can't figure out where it came from.
But observation of UltraSurf at work reveals that it also automatically attempts to make HTTPS encrypted connections to unrelated servers, said Kyle Williams, security director of XeroBank, an Internet privacy vendor, who has researched the software.
Among the sites it has probed without user intervention is acquisitions.army.mil, he said, a US Army URL that would be sure to attract the attention of the Great Firewall of China, the Internet filtering infrastructure the Chinese government uses to restrict the Internet access of its citizens.
The proxy system that versions of UltraSurf has used included six entry proxies, half in California and half in Taiwan, and six exit proxies, half in the US, two in China and two one in Taiwan, Williams says. A Chinese dissident sending traffic to an entry node in the US or Taiwan and receiving traffic from the US and Taiwan would also flag attention, he said.
The software used to have a two-hop proxy but that has been downgraded to one hop, he said.
The software is available free from UltraReach, whose website doesn't list an address or management team. It says the company is "dedicated to providing technologies and service for people to exchange information on Internet freely and safely" and was founded "by a group of successful entrepreneurs, renowned scientists and engineers in Silicon Valley."
UltraReach hasn't responded to a request left at its website for an interview about the software.
The software is promoted on the website of Global Internet Freedom Consortium, a group whose website describes its purpose this way: "Our mission is to build a pioneering online platform that breaks down the Great Firewalls blocking the free flow of information penetrating into, moving within, and originating from closed societies (eg China and Iran) via the Internet."
UltraSurf does some other puzzling things. For instance, if one of the HTTPS requests hits an invalid URL, the request is redirected to UltraSurf's page. "How does it know I got an invalid server if the traffic is really end-to-end encrypted?" Williams said.