Ultrasurf proxy traffic classified as HTTPS
Article Number: 000001625
Published: February 23, 2017
When the Ultrasurf proxy is turned on, all traffic it generates over the Exinda will be shown as 'HTTPS'
Ultrasurf is a proxy application that many users use in order to get around blocks against certain types of traffic and also to mask origin points of their traffic for more anonymity on the internet. Ultrasurf as an application is updated frequently with more ways to circumvent blocks. In the Exinda real time monitor, it can be seen that Ultrasurf traffic will all just show as 'HTTPS' regardless of origin, site, or actual traffic. There is no other identifying features about it.
Ultrasurf is a proxy service, meaning that it will encrypt and tunnel traffic from the source point over its network to an end point, and then out to the destination. Ultrasurf is a constantly changing application with multiple end points and tunneling methods. While the Exinda has a definition for Ultrasurf, the development on the proxy itself can renew itself in a way such that the traffic does not match the existing definition.
If using the Chrome plugin - not the standalone application, it is possible to create an SSL wildcard and add it to the Ultrasurf application to get it to classify correctly.
- Navigate to Configuration > Objects > Applications
- Edit the Ultrasurf application
- Create a new L7 Signature for it with the following information:
- ssl > advanced > common_name =% "ultrasurf"
ExOS 7.4.4u2 fixes this problem. Please see the release notes for more information.
The Exinda engineers are investigating how to update the Ultrasurf application to better handle its traffic and more accurately match it.