Kuniao browser (酷鸟浏览器, Cool Bird browser), seemingly state-authorized circumvention browser

[wkrp]

Via V2EX (Chinese, registration required) and China Digital Times (Chinese), news of a Chinese web browser called Kuniao browser (酷鸟浏览器 or Cool Bird browser) that advertises the ability to access sites that are blocked by the GFW.

The strange thing about this is that normally, Chinese circumvention products cannot advertise themselves so overtly. I gather that there is suspicion that this browser may be more like a monitoring tool to see what circumventing users are doing. I have not tried running it myself, but the China Digital Times article says that it asks for a mobile phone number, and an invitation code that you have to get from someone else. I heard a report that while the browser does in fact grant access to certain blocked sites such as Google and Twitter, but more sensitive sites like those related to Falun Gong are still blocked.

It would be interesting to know how it works technically—is it actually using circumvention tech, or does it just have a few IP addresses excepted from the GFW? Does it show the correct TLS certificate when you access a web site, or is there evidence of MITM?

I've downloaded and archived the binary (version 10.8.1000.11 dated 2019-10-28) just in case it disappears:
https://archive.org/details/kuniao-browser-10.8.1000.11

Archive of the home page:
https://web.archive.org/web/20191114233309/https://ie.kuniao.com/

I haven't tried running it, but here is some metadata about the installer executable. 福建紫讯信息科技有限公司 is "Fujian Zixun Information Technology Co., Ltd." 酷鸟浏览器 is "Cool Bird browser".

$ TZ=UTC exiftool kuniao_browser.exe
ExifTool Version Number         : 11.16
File Name                       : kuniao_browser.exe
File Size                       : 53 MB
File Type                       : Win32 EXE
File Type Extension             : exe
MIME Type                       : application/octet-stream
Machine Type                    : Intel 386 or later, and compatibles
Time Stamp                      : 2019:10:28 04:02:26+00:00
Image File Characteristics      : Executable, Large address aware, 32-bit
PE Type                         : PE32
Linker Version                  : 14.11
Code Size                       : 7168
Initialized Data Size           : 55208960
Uninitialized Data Size         : 0
Entry Point                     : 0x1000
OS Version                      : 5.1
Image Version                   : 0.0
Subsystem Version               : 5.1
Subsystem                       : Windows GUI
File Version Number             : 10.8.1000.11
Product Version Number          : 10.8.1000.11
File Flags Mask                 : 0x0017
File Flags                      : (none)
File OS                         : Win32
Object File Type                : Executable application
File Subtype                    : 0
Language Code                   : English (U.S.)
Character Set                   : Unicode
Company Name                    : 福建紫讯信息科技有限公司
File Description                : 酷鸟浏览器
File Version                    : 10.8.1000.11
Internal Name                   : mini_installer
Legal Copyright                 : 
Product Name                    : 酷鸟浏览器
Product Version                 : 10.8.1000.11
Company Short Name              : 紫讯
Product Short Name              : 酷鸟浏览器
Last Change                     : f6dd7f3af8d7f361e8095a2f1913fb56598e56cb
Official Build                  : 0

$ TZ=UTC rabin2 -IV kuniao_browser.exe
arch     x86
baddr    0x400000
binsz    55233688
bintype  pe
bits     32
canary   false
retguard false
sanitiz  false
class    PE32
cmp.csum 0x034add06
compiled Mon Oct 28 04:02:26 2019
crypto   false
dbg_file F:\se10\src\out\Release\mini_installer.exe.pdb
endian   little
havecode true
hdr.csum 0x034add06
guid     6C896F3BC08545A6918BFB6A4D74707A1
laddr    0x0
linenum  false
lsyms    false
machine  i386
maxopsz  16
minopsz  1
nx       true
os       windows
overlay  true
pcalign  0
pic      true
relocs   false
signed   true
static   false
stripped true
subsys   Windows GUI
va       true
=== VS_VERSIONINFO ===

# VS_FIXEDFILEINFO

  Signature: 0xfeef04bd
  StrucVersion: 0x10000
  FileVersion: 10.8.1000.11
  ProductVersion: 10.8.1000.11
  FileFlagsMask: 0x17
  FileFlags: 0x0
  FileOS: 0x4
  FileType: 0x1
  FileSubType: 0x0

# StringTable

  CompanyName: 福建紫讯信息科技有限公司
  FileDescription: 酷鸟浏览器
  FileVersion: 10.8.1000.11
  InternalName: mini_installer
  LegalCopyright: 
  ProductName: 酷鸟浏览器
  ProductVersion: 10.8.1000.11
  CompanyShortName: 紫讯
  ProductShortName: 酷鸟浏览器
  LastChange: f6dd7f3af8d7f361e8095a2f1913fb56598e56cb
  Official Build: 0

[wkrp]

Checking some random Twitter threads, it seems there's an ss-local.exe in the installation, which suggests Shadowsocks. Testers say that the browser somehow filters searches on sites like Google, Wikipedia, and YouTube, even apparently replacing Google search results with Baidu search results.

@Shirosaki_Mieru (archived)

试了一下这个所谓合法的酷鸟浏览器，F12控制台打不开，也没办法查看证书信息，默认不检查服务器证书状态，拦截证书风险，还自带和谐功能🤔

I tried this so-called legal cool bird browser, the F12 console could not be opened, and there was no way to view the certificate information. By default, the server certificate status was not checked, the certificate risk was intercepted, and the harmony function was also provided.🤔

安装后目录底下有一个words.dat文件，可能是关键词？试了一下wiki，天安门事件马上被阻断提示404，应该是没有通过云端检测，但是搜索天安事件可以看到搜索页结果，点进去因为URL里面包含敏感词，马上又被阻断。

There is a words.dat file under the directory after installation, which may be a keyword? After trying the wiki, the Tiananmen incident was immediately blocked and prompted 404. It should not be detected by the cloud, but the search for the Tianan event can see the results of the search page. Clicking on it because the URL contains sensitive words is immediately blocked.

本地的ss-local会随机开放端口监听，访问网站都会与180.153.184.65这个地址建立TCP连接，查了一下是上海电信的IP

The local ss-local will randomly open the port listener. The access website will establish a TCP connection with the address 180.153.184.65. Check the IP address of Shanghai Telecom.

@justsudo (archived)

不要使用 酷鸟翻墙浏览器，这个浏览器使用的是腾讯云线路，并且会篡改谷歌的搜索结果。测试方法，用酷鸟浏览器搜索法轮功，习近平等敏感词，酷鸟浏览器会篡改谷歌的搜索结果，隐藏掉敏感内容。

Don't use the Cool Birds Wall Browser, which uses Tencent Cloud and will tamper with Google's search results. Test method, use the cool bird browser to search for Falun Gong, Xi Jinping sensitive words, cool bird browser will tamper with Google's search results, hide sensitive content.

[gfw-report]

So don't believe there is an authorized circumvention tool.

The offcial website of Kuniao browser has been blocked by GFW, which may also suggest it is not state-authorized.

Greatfire tested kuniao.com, www.kuniao.com and ie.kuniao.com and found, these keywords were censored by DNS poisoning on Nov 16, 2019 3:37 AM (UTC+8).

gfw.report has been testing GFW's censorship on www.kuniao.com every 2 hours since May 12 2019, and found:

1. DNS-based censorship on www.kuniao.com started from sometime between Nov 15, 2019 11:00 AM (UTC+8) and Nov 15, 2019 1:00 PM(UTC+8).
2. SNI-based censorship on www.kuniao.com started from sometime between Nov 15, 2019 4:00 AM (UTC+8) and Nov 24, 2019 9:35 PM (UTC+8).
3. www.kuniao.com is still under these two types of censorship as of today May 9, 2020, although the entire Kuniao website is down.

[gfw-report]

On November 20, 2019, Twitter user MrdoorVPN posted (archived) a photo of an incomplete table that lists "the pilot cross-border VPN applications that have implemented security obligations". This post (archived) contains a photo of the complete table.

For documentation purposes, below is a transcription of the table:

试点中已落实安全义务的跨境VPN应用 (The pilot cross-border VPN applications that have implemented security obligations)

厂商 (Vendors)	应用 (Applications)	域名 (Domains)
任子行武汉分公司	网行国际浏览器	netrunrnu.com
福建紫讯信息科技有限公司	酷鸟浏览器	kuniao.com
上海昆奥网络科技有限公司	天行浏览器	txvpnpro.com
上海闪耀信息科技有限公司	风筝浏览器	ssnm.xyz
天津心云科技有限公司	星网冲浪	wxvpn.com
成都吉胜科技有限责任公司	云豹	sppedol.CNN
河北启天电子技术有限公司	视界通浏览器	shijietong.keyten.net
深圳市携网科技有限公司	天秤浏览器	vpn.yxsurf.com
北京博艺网讯科技有限公司	自由鲸浏览器	bjbywx.com
江苏萃起信息科技有限公司	腾讯浏览器	gjvpn.com

The only vendor for which we can find an official English name is: 任子行武汉分公司 （Surfilter Network Tech Wuhan Branch）.

[gfw-report]

In this Chinese blog post (archived), Yves X tested Kuniao browser and found:

• There was an encrypted file named words.dat which was suspected to be a keyword list.
• The browser could not access a website when the URL contains certain keywords.
• The browser contained a private self-signed CA.

[Gowee]

In Oct 2020, Qihoo 360 published multiple commercial censorship-circumvention apps under different names (绿光/SGreen, Tuber, etc.) shadowed by shell companies in several major Android app markets in China featuring direct access to Facebook, Youtube, Instagram and etc.

These apps work like typical mobile browsers with proxies (or other circumvention protocols) built-in. Users can try them for free after registering by phone number. I tested a few of them at that time, to find that the egress or ingress (not sure which since it was long ago) IP addresses are just of the CDN of Qihoo 360.

They appear to use similar keyword-based censorship tricks on a webpage basis. Since it is a browser instead of a generic proxy tool, the censorship can bypass protocol-layer security like HTTPS.

There were unverified rumors claiming that these apps were endorsed by the government. Due to the close tie between Qihoo 360 and the authority, I suppose it is not absolute nonsense. But just one or two weeks after the public exposure, they (were) shut down. Before that, they seem to be (relatively) widely known/used by some young netizens to access Instagram and other lifestyle/fashion SNS.

Media or SNS coverage:
https://webcache.googleusercontent.com/search?q=cache:sZxENY1MIEgJ:https://www.zaobao.com.sg/forum/zaodian/hai-qiang-xin-diao/story20201014-1092541
https://mobile.twitter.com/search?q=Tuber%E6%B5%8F%E8%A7%88%E5%99%A8
https://mobile.twitter.com/search?q=%E7%BB%BF%E5%85%89%E6%B5%8F%E8%A7%88%E5%99%A8