Kuniao browser (酷鸟浏览器, Cool Bird browser), seemingly state-authorized circumvention browser about bbs HOT 5 OPEN

On November 20, 2019, Twitter user MrdoorVPN posted (archived) a photo of an incomplete table that lists "the pilot cross-border VPN applications that have implemented security obligations". This post (archived) contains a photo of the complete table.

For documentation purposes, below is a transcription of the table:

试点中已落实安全义务的跨境VPN应用 (The pilot cross-border VPN applications that have implemented security obligations)

The only vendor for which we can find an official English name is: 任子行武汉分公司 （Surfilter Network Tech Wuhan Branch）.

from bbs.

In Oct 2020, Qihoo 360 published multiple commercial censorship-circumvention apps under different names (绿光/SGreen, Tuber, etc.) shadowed by shell companies in several major Android app markets in China featuring direct access to Facebook, Youtube, Instagram and etc.

These apps work like typical mobile browsers with proxies (or other circumvention protocols) built-in. Users can try them for free after registering by phone number. I tested a few of them at that time, to find that the egress or ingress (not sure which since it was long ago) IP addresses are just of the CDN of Qihoo 360.

They appear to use similar keyword-based censorship tricks on a webpage basis. Since it is a browser instead of a generic proxy tool, the censorship can bypass protocol-layer security like HTTPS.

There were unverified rumors claiming that these apps were endorsed by the government. Due to the close tie between Qihoo 360 and the authority, I suppose it is not absolute nonsense. But just one or two weeks after the public exposure, they (were) shut down. Before that, they seem to be (relatively) widely known/used by some young netizens to access Instagram and other lifestyle/fashion SNS.

Media or SNS coverage:
https://webcache.googleusercontent.com/search?q=cache:sZxENY1MIEgJ:https://www.zaobao.com.sg/forum/zaodian/hai-qiang-xin-diao/story20201014-1092541
https://mobile.twitter.com/search?q=Tuber%E6%B5%8F%E8%A7%88%E5%99%A8
https://mobile.twitter.com/search?q=%E7%BB%BF%E5%85%89%E6%B5%8F%E8%A7%88%E5%99%A8

from bbs.

Checking some random Twitter threads, it seems there's an ss-local.exe in the installation, which suggests Shadowsocks. Testers say that the browser somehow filters searches on sites like Google, Wikipedia, and YouTube, even apparently replacing Google search results with Baidu search results.

@Shirosaki_Mieru (archived)

试了一下这个所谓合法的酷鸟浏览器，F12控制台打不开，也没办法查看证书信息，默认不检查服务器证书状态，拦截证书风险，还自带和谐功能🤔

I tried this so-called legal cool bird browser, the F12 console could not be opened, and there was no way to view the certificate information. By default, the server certificate status was not checked, the certificate risk was intercepted, and the harmony function was also provided.🤔

安装后目录底下有一个words.dat文件，可能是关键词？试了一下wiki，***事件马上被阻断提示404，应该是没有通过云端检测，但是搜索天安事件可以看到搜索页结果，点进去因为URL里面包含敏感词，马上又被阻断。

There is a words.dat file under the directory after installation, which may be a keyword? After trying the wiki, the Tiananmen incident was immediately blocked and prompted 404. It should not be detected by the cloud, but the search for the Tianan event can see the results of the search page. Clicking on it because the URL contains sensitive words is immediately blocked.

本地的ss-local会随机开放端口监听，访问网站都会与180.153.184.65这个地址建立TCP连接，查了一下是上海电信的IP

The local ss-local will randomly open the port listener. The access website will establish a TCP connection with the address 180.153.184.65. Check the IP address of Shanghai Telecom.

@justsudo (archived)

不要使用 酷鸟翻墙浏览器，这个浏览器使用的是腾讯云线路，并且会篡改谷歌的搜索结果。测试方法，用酷鸟浏览器搜索**功，***等敏感词，酷鸟浏览器会篡改谷歌的搜索结果，隐藏掉敏感内容。

Don't use the Cool Birds Wall Browser, which uses Tencent Cloud and will tamper with Google's search results. Test method, use the cool bird browser to search for Falun Gong, Xi Jinping sensitive words, cool bird browser will tamper with Google's search results, hide sensitive content.

from bbs.

So don't believe there is an authorized circumvention tool.

The offcial website of Kuniao browser has been blocked by GFW, which may also suggest it is not state-authorized.

Greatfire tested kuniao.com, www.kuniao.com and ie.kuniao.com and found, these keywords were censored by DNS poisoning on Nov 16, 2019 3:37 AM (UTC+8).

gfw.report has been testing GFW's censorship on www.kuniao.com every 2 hours since May 12 2019, and found:

1. DNS-based censorship on www.kuniao.com started from sometime between Nov 15, 2019 11:00 AM (UTC+8) and Nov 15, 2019 1:00 PM(UTC+8).
2. SNI-based censorship on www.kuniao.com started from sometime between Nov 15, 2019 4:00 AM (UTC+8) and Nov 24, 2019 9:35 PM (UTC+8).
3. www.kuniao.com is still under these two types of censorship as of today May 9, 2020, although the entire Kuniao website is down.

from bbs.

In this Chinese blog post (archived), Yves X tested Kuniao browser and found:

• There was an encrypted file named words.dat which was suspected to be a keyword list.
• The browser could not access a website when the URL contains certain keywords.
• The browser contained a private self-signed CA.

from bbs.