[liberationtech] Anticensorship in the Internet's Infrastructure

Frank Corrigan email at franciscorrigan.com
Mon Jul 18 14:34:01 PDT 2011 

Telex seems an interesting system, though I am puzzled whether the
insertion of a 'secret'  "cryptographic tag into the headers" could be
detected, as the FAQ says it "looks" random, rather than is..

"To create a Telex connection, the client replaces this number with what
we call a tag — essentially, an encrypted value that looks random until
it's decrypted."
https://telex.cc/qa.html

Though as it is a proof-of-concept, could it go the same way as the
'vanish' concept, which I did manage to work with, but them development
ceased. Vanish <http://vanish.cs.washington.edu/>

Frank


----- Original message -----
From: "Yosem Companys" <companys at stanford.edu>
To: "Liberation Technologies" <liberationtech at lists.stanford.edu>
Date: Mon, 18 Jul 2011 08:25:47 -0700
Subject: [liberationtech] Anticensorship in the Internet's
Infrastructure

https://freedom-to-tinker.com/blog/jhalderm/anticensorship-internets-infrastructure

Freedom to Tinker is hosted by Princeton's Center for Information
Technology
Policy <http://citp.princeton.edu/>, a research center that studies
digital
technologies in public life. Here you'll find comment and analysis from
the
digital frontier, written by the Center's faculty, students, and
friends.

Anticensorship in the Internet's Infrastructure
By J. Alex Halderman <https://freedom-to-tinker.com/user/jhalderm> -
Posted
on July 18th, 2011 at 6:30 am

I'm pleased to announce a research result that Eric
Wustrow<https://ericw.us/trow>
, Scott Wolchok <http://scott.wolchok.org/>, Ian
Goldberg<http://www.cs.uwaterloo.ca/~iang/>
, and I <https://jhalderm.com/> have been working on for the past 18
months: Telex <https://telex.cc/>, a new approach to circumventing
state-level Internet censorship. Telex is markedly different from past
anticensorship efforts, and we believe it has the potential to shift the
balance of power in the censorship arms race.

What makes Telex different from previous approaches:

   - Telex operates in the *network infrastructure* — at any ISP between
   the
   censor's network and non-blocked portions of the Internet — rather
   than at
   network end points. This approach, which we call “end-to-middle”
   proxying,
   can make the system robust against countermeasures (such as blocking)
   by the
   censor.
   - Telex focuses on *avoiding detection* by the censor. That is, it
   allows
   a user to circumvent a censor without alerting the censor to the act
   of
   circumvention. It complements anonymizing services like
Tor<https://torproject.org/> (which
   focus on hiding *with whom*the user is attempting to communicate
   instead
   of *that* that the user is attempting to have an anonymous
   conversation)
   rather than replacing them.
   - Telex employs a form of *deep-packet inspection* — a technology
   sometimes used to censor communication — and repurposes it to
   circumvent
   censorship.
   - Other systems require distributing secrets, such as encryption keys
   or
   IP addresses, to individual users. If the censor discovers these
   secrets, it
   can block the system. With Telex, there are *no secrets* that need to
   be
   communicated to users in advance, only the publicly available client
   software.
   - Telex can provide a *state-level response* to state-level
   censorship.
   We envision that friendly countries would create incentives for ISPs
   to
   deploy Telex.

For more information, keep reading, or visit the *Telex
website<https://telex.cc/>
*.
The Problem

Government Internet censors generally use firewalls in their network to
block traffic bound for certain destinations, or containing particular
content. For Telex, we assume that the censor government desires
generally
to allow Internet access (for economic or political reasons) while still
preventing access to specifically blacklisted content and sites. That
means
Telex doesn't help in cases where a government pulls the plug on the
Internet entirely. We further assume that the censor allows access to at
least some secure HTTPS websites. This is a safe assumption, since
blocking
all HTTPS traffic would cut off practically every site that uses
password
logins.

Many anticensorship systems work by making an encrypted connection
(called a
“tunnel”) from the user's computer to a trusted proxy server located outside
the censor's network. This server relays requests to censored websites
and
returns the responses to the user over the encrypted tunnel. This
approach
leads to a cat-and-mouse game, where the censor attempts to discover and
block the proxy servers. Users need to learn the address and login
information for a proxy server somehow, and it's very difficult to
broadcast
this information to a large number of users without the censor also
learning
it.
 How Telex Works

 <https://dl.dropbox.com/u/91818/ftt/telex-brief_800.png>

Telex turns this approach on its head to create what is essentially a
proxy
server without an IP address. In fact, users don't need to know any
secrets
to connect. The user installs a Telex client app (perhaps by downloading
it
from an intermittently available website or by making a copy from a
friend).
When the user wants to visit a blacklisted site, the client establishes
an
encrypted HTTPS connection to a non-blacklisted web server outside the
censor’s network, which could be a normal site that the user regularly
visits. Since the connection looks normal, the censor allows it, but
this
connection is only a decoy.

The client secretly marks the connection as a Telex request by inserting
a
cryptographic tag into the headers. We construct this tag using a
mechanism
called public-key steganography. This means anyone can tag a connection
using only publicly available information, but only the Telex service
(using
a private key) can recognize that a connection has been tagged.

As the connection travels over the Internet en route to the
non-blacklisted
site, it passes through routers at various ISPs in the core of the
network.
We envision that some of these ISPs would deploy equipment we call Telex
stations. These devices hold a private key that lets them recognize
tagged
connections from Telex clients and decrypt these HTTPS connections. The
stations then divert the connections to anti­censorship services, such
as
proxy servers or Tor entry points, which clients can use to access
blocked
sites. This creates an encrypted tunnel between the Telex user and Telex
station at the ISP, redirecting connections to any site on the Internet.

Telex doesn't require active participation from the censored websites,
*or* from
the non-censored sites that serve as the apparent connection
destinations.
However, it does rely on ISPs to deploy Telex stations on network paths
between the censor's network and many popular Internet destinations.
Widespread ISP deployment might require incentives from governments.
 Development so Far

At this point, Telex is a concept rather than a production system. It's
far
from ready for real users, but we have developed proof-of-concept
software
for researchers to experiment with. So far, there's only one Telex
station,
on a mock ISP that we're operating in our lab. Nevertheless, we have
been
using Telex for our daily web browsing for the past four months, and
we're
pleased with the performance and stability. We've even tested it using a
client in Beijing and streamed HD YouTube videos, in spite of YouTube
being
censored there.

Telex illustrates how it is possible to shift the balance of power in
the
censorship arms race, by thinking big about the problem. We hope our
work
will inspire discussion and further research about the future of
anticensorship technology.

You can find more information and prototype software at the *Telex
website<https://telex.cc/>
*, or read our technical paper <https://telex.cc/paper.html>, which will
appear at Usenix Security 2011 <http://www.usenix.org/events/sec11/> in
August.

_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click
above) next to "would you like to receive list mail batched in a daily
digest?"

You will need the user name and password you receive from the list
moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

More information about the liberationtech mailing list