Tor's critique of Ultrasurf: A reply from the Ultrasurf developers

On April 16th, Jacob Appelbaum published an article on the Tor blog titled "Ultrasurf: the definitive review". The team at Ultrareach would like to thank Mr. Appelbaum and the Tor Project for the time they spent exploring Ultrasurf. However, there are a number of significant problems with the report and with the way that the Tor team conducted themselves during their research and through the publishing process. Thus, we would like to respond to Tor's claims.

Our full report is available for download from the following link:
http://ultrasurf.us/Ultrasurf-response-to-Tor-definitive-review.pdf

Firstly, we have attempted to constructively work with the Tor project for the last four months. We see both Ultrasurf and Tor—plus a host other privacy and anti-censorship tools—as all being members of a community of technologists working toward common goals of increased freedom for internet users around the globe. We never expected a fellow member of our community to publish a report that deliberately misrepresents the nature of our product. We would like to take this opportunity to clear up any confusion that their report might bring about.

  • Most importantly, Tor has not been able to break Ultrasurf. The paper asserts that it is possible to monitor the content of Ultrasurf sessions, but they have not been able to actually demonstrate this.
  • Tor has only partly understood our security structure, and they have failed to break the core mechanisms for protection.
  • In each case where Tor has indicated a security shortcoming in Ultrasurf, we have moved rapidly to address it and communicated this to Tor. However, their report failed to acknowledge these efforts.
  • Tor repeatedly and knowingly makes false and outdated statements about Ultrasurf, which are detailed in our full response.

At Ultrareach we are committed to constantly improving the privacy and security of our products. Ultrasurf faces a rapidly evolving censorship landscape in countries such as China, with technology changing on a daily—sometimes hourly—basis. This presents significant security challenges, since our code base must be continually updated in response. We do appreciate Tor's analysis (if not the way Tor handled it), and have—in most cases, months ago—already fixed the issues pointed out by Tor.

As an example of how we are taking security seriously, we have retained the services of a third party testing service at the suggestion of the US State Department to review our products and help identify and resolve potential vulnerabilities.

Again, we respect the work that Tor has done and the services it offers to its users. Our products, however, represent fundamentally different approaches solving the censorship challenge. As a corollary of these different approaches, Tor simply cannot handle the number of users or scale of activities that Ultrasurf can. The bottom line is that Ultrasurf has been serving millions of people for the past decade in over 180 countries. It has been essential during times of humanitarian crises, allowing millions of people to evade government censorship and surveillance. The Chinese government in particular has spent considerable resources, and yet it has never successfully blocked us for any extended period of time; neither has there been any evidence of monitoring. The same cannot be said for the Tor system, which has been successfully blocked in China on many occasions for extended periods. To the best of our knowledge, Ultrasurf has not been either monitored or blocked in any country.

Tor and Ultrasurf are both Internet Freedom systems. We both require resources to continue our work, and we sometimes compete for resources from similar funding agencies. We wish that Tor had approached us first so that we could use the information in the Tor paper as part of our continuing effort to improve user security.

Ultrasurf remains a valuable tool for censorship-circumvention, privacy, and security. Challenges are always evolving, as is technology. We work everyday to make our tools better, and we hope that the other dedicated individuals working for internet freedom (the Tor team included) will continue their own work to bring about greater freedom of expression online. Download the full report here.