Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Telex Would Work, But Is It Overkill?

CmdrTaco posted more than 2 years ago | from the kill-it-again dept.

92

Slashdot regular contributor Bennett Haselton wrote in this week to say that "The proposed "Telex" anti-censorship system could technically work, but unless I'm missing something, it would more cost-effective to spend the same resources on fighting censorship using existing technologies." His essay on the subject follows.

Professor Alex Halderman published a paper in July describing a new anti-censorship system called Telex, whereby users in censored countries could request banned websites by sending an encrypted request to an SSL-enabled website (i.e., a Web address beginning with https://) outside of their country -- even if the owner of the SSL-enabled website is not participating in the scheme. Since encrypted communications usually contain some random variation, that random variation can be used to embed hidden messages, which can then be decoded by any third-party observer who intercepts the communication and knows how to decode the hidden message. The third-party observer still cannot decode the original encrypted communication between the end user and the SSL-enabled website -- SSL is designed to be unbreakable by all but the intended recipient -- but the observer can decode the "side message" that was designed to be intercepted in transit. So a Telex-enabled router, in the process of passing the communication along, would notice the hidden request for a banned website, and pass the requested content back to the original user.

By analogy, suppose Mrs. Smith wants to send a letter to a friend. Mrs. Smith knows the letter will be sealed, and supposedly unopenable by the postman. But Mrs. Smith also has many choices of colored envelopes to use, and she has agreed with the postman on a color-coded system -- red for "Meet me tonight at the Motel 6", blue for "Not tonight, he suspects something" -- that the postman can "decode" when he picks up the envelope for delivery. The choice of envelope color is the "random variation" inherent in the sending of the message, which the message sender can use to send a "side message" to anyone who passes it along and who knows the system. The postman -- who is analogous to the Telex-enabled router -- has no access to the original sealed message inside the envelope, but he understands the side message just fine. (A Telex user may have no control over what routers their messages pass through, though, so they simply have to hope that there are enough Telex-enabled routers on the Internet that one of them will pick up the message and decode it. Imagine many different amorous mail carriers in the Postal Service, and any one of them who finds the colored envelope will be happy to show up at the appointed time, if Mrs. Smith is not picky.)

The novel feature of Telex is that it would not require the cooperation of the owner of the SSL-enabled website in order to work. You could send an encrypted communication to any website -- https://www.paypal.com/ for example -- and any Telex-enabled routers along the pathway traveled by the connection, would be able to decode the embedded message hidden in the randomness of the encryption. By contrast, for a user to make use of a typical proxy website like Vtunnel, the owner of the Vtunnel website has to set up the site as a proxy; this means the supply of such sites is limited to those websites whose owners have installed proxy software, and the censors have a greater chance of finding and blocking them all. Telex, on the other hand, would continue to work as long as the user in the censored country was able to access any SSL-enabled website, as long as their request happened to pass through a Telex-enabled router.

So far, so good. But this would presumably require an investment of at least several million dollars by any major backbone provider who wanted to try it, by re-configuring their major routers to speak the Telex protocol, and then potentially hundreds of millions of dollars for a sustained long-term effort. (As Halderman says, "We like to envision this technology as a possible government-level response to government-level censorship.") So here's my question: If any backbone provider (or government entity) wanted to go to that trouble to support the cause of fighting Internet censorship, why wouldn't it be much more straightforward for them to just set up proxy websites themselves?

Professor Halderman didn't respond to my inquiry on that point. The Telex FAQ notes that censorious governments can easily block new proxy sites once they find out about them. But in many censored countries, most proxy sites are not blocked, either because the government isn't trying, or they can't keep up. In China, hardly any proxy sites are blocked at all, as the government seems to put more of their resources into suppressing local dissent directly. Meanwhile in Iran, the censors do put more resources into actually blocking proxy sites -- but because Iran is on the U.S. State Department's embargo list, Iranian censors can't buy Internet censoring software from U.S. companies, so they have to find and block the sites themselves. As a result, newly released proxy sites often stay unblocked longer in Iran than they do in other Middle Eastern countries that use U.S.-made blocking software. Meanwhile, Saudi Arabia, for whatever reason, doesn't seem to block proxy sites at all for the time being. (Saudi Arabia is a strange outlier, since most conservative Islamic countries that filter the Web, also block proxy sites as well. It's not clear why Saudi Arabia doesn't.) So if a government or a philanthropist wants to help the cause of fighting censorship, just set up some proxy sites and pay to keep them running -- and you'll be helping the residents of all of those countries right away, for starters. This is in fact what Voice of America (through their various proxy programs) and the founders of UltraSurf (a privately funded network of anti-censorship servers) have been doing all along.

Even in the case of countries like U.A.E. and Yemen that are reasonably quick at finding and blocking proxy sites (as a result of using Western-made blocking software), the most cost-effective way to help these users is probably to set up more proxy sites, hosted at different locations and with perhaps with legitimate-looking "decoy" content, so that U.S. censorware companies can't keep up. My experience has been that the more money you spend (using unique IP addresses, buying .com domains instead of cheap .info ones, and setting up lots of proxies so that each one is sent to only a subset of your target audience), the longer the proxy sites last. You can also use proxy-like services (such as Tor, Hotspot Shield and UltraSurf) to route traffic through dedicated servers, to circumvent censorship in a way that is more transparent and convenient to the end user.

In short, existing proxy sites (and proxy-like services) do the job pretty well for many censored countries, and a massive cash expenditure on setting up more proxies (equivalent to the cost of setting up the Telex system) would probably be enough to demolish all other national filtering schemes completely. The software and tools to run proxy sites have already been tried and tested; all it takes to run them is money. Telex, by contrast, would require backbone providers to alter the architecture of their systems -- which means large-scale testing, isolation of any problems that arise, and countless other potential headaches. And that's not even counting the fact that censorious countries might detect which backbone providers are using Telex, and block all traffic from their countries to any sites hosted on those networks.

So I think Telex is a brilliant technical achievement, and I'd be happy if it got deployed, but I'd be scratching my head as to why the backbone providers (or the government, or whoever sponsored the effort) decided to kill a gnat with a flamethrower. I deal in flyswatters for a living, and they get the job done.

cancel ×

92 comments

Sorry! There are no comments related to the filter you selected.

Why do they post any of this guy's stuff? (-1)

Anonymous Coward | more than 2 years ago | (#36961440)

Bennett Haselton is an idiot. Read some of his bullshit trying to defame judges (www.judgejokes.com) and it's clear how little he actually understands.

Re:Why do they post any of this guy's stuff? (1)

1s44c (552956) | more than 2 years ago | (#36961904)

Bennett Haselton is an idiot. Read some of his bullshit trying to defame judges (www.judgejokes.com) and it's clear how little he actually understands.

I don't believe Telex could work. However whatever Bennett Haselton thinks about US judges has nothing to do with the reasons why. If he had a few bad experiences and decided to mock a few power-mongers publicly then good on him.

Re:Why do they post any of this guy's stuff? (1)

Garridan (597129) | more than 2 years ago | (#36964240)

Why don't you believe it would work? The steganography itself is encrypted: it can only be detected by one holding the private key. Chat-enabled gmail produces enough https traffic that if Google installed Telex servers, there'd be plenty of capacity for legitimate use (that is, not downloading gigabytes of kiddie porn). If this had government / ISP backing, it'd be highly effective: the "message in a bottle" problem goes away if you know your destination will catch the message.

The only problem I see so far is that it appears that the user needs to trust the Telex server operators. For example, if a curious American citizen uses Telex to obscure their visits to al-qaeda websites, it can likely be traced back to them. Am I missing something?

Re:Why do they post any of this guy's stuff? (1)

1s44c (552956) | more than 2 years ago | (#36964976)

Two reasons this won't work spring to mind:
1) This requires core routers to attempt decryption on all SSL traffic passing though them. This is deep packet inspection on a scale the Internet has never seen and would require massively expensive router upgrades, if it's even possible at all. The companies expected to carry out all this work get no commercial benefit for their efforts. It's unlikely anyone else will pay these companies to do this work.
2) The whole security model relies on a secret key being held on a massive number of different core routers, should this secret key ever be leaked anyone with it can detect that secret data is being sent. It won't be possible for either side in the communication to know if this is happening. You want to use this against China? Guess who built the hardware that holds the secret key?

Re:Why do they post any of this guy's stuff? (1)

gcnaddict (841664) | more than 2 years ago | (#36962232)

I'm inclined to agree with your analysis (though I wouldn't have been as harsh about it) as it seems Bennett missed a critical point:

Upkeep on a Telex-enabled system would theoretically be much less than with a coordinated proxy system used to "outrun" censors. The advantage to Telex is that -- barring a flaw in, say, RSA or PGP PKI -- all that's needed is one public key and a minimal application which handles the client-side logic, or in simpler terms, two files which would remain static barring either a leak of the private key, a cryptanalytical break, or a discovery of every Telex interceptor, all of which would happen far less often than the blocking of a proxy but would be as easy, if not easier, to correct.

Heck, the facilities for this still exist. The NSA intercepts and conducts deep packet inspection on packets throughout the vast majority of the Internet. This would be a bolt-on fix, and no one would have to know the NSA did it.

If the end result of the same initial investment in either Telex or Proxies would be the downfall of most (or all) censorship systems, why not go the route that saves on upkeep?

Re:Why do they post any of this guy's stuff? (1)

Bieeanda (961632) | more than 2 years ago | (#36963560)

Missing a critical point is a common theme in Haselton's opinion dumps. I used to have a lot of support for him when he was raising the alarm on Cybersitter and the specter of censorware with very strong political leanings, but he went out to lunch years ago and hasn't come back.

Still don't see what it has to do with teleprinter (1)

Anonymous Coward | more than 2 years ago | (#36961476)

Telex [wikipedia.org] is already defined...find another name.

Re:Still don't see what it has to do with teleprin (0)

Anonymous Coward | more than 2 years ago | (#36961620)

There is that delicious part about TOR (Telex-On-Radio).. Acronym overload is imminent.

Re:Still don't see what it has to do with teleprin (1)

WrongSizeGlass (838941) | more than 2 years ago | (#36961740)

There is that delicious part about TOR (Telex-On-Radio).. Acronym overload is imminent.

You mean TBNTT (Telex, But Not That Telex)?

Re:Still don't see what it has to do with teleprin (1)

gcnaddict (841664) | more than 2 years ago | (#36961926)

Tint

Telex is not telex.

Re:Still don't see what it has to do with teleprin (2)

icebraining (1313345) | more than 2 years ago | (#36962116)

Tint is not TECO!

Re:Still don't see what it has to do with teleprin (1)

rsilvergun (571051) | more than 2 years ago | (#36967962)

Yeah, but is it Linux?

Re:Still don't see what it has to do with teleprin (1)

i.am.delf (1665555) | more than 2 years ago | (#36961656)

Came here to say this. Reusing names within the same field is fail. If you cannot be bothered to google a term to make sure it is relatively unused, you are lazy. When you work in electronics, computers or communication and don't even realize there is a protocol called Telex already....
It would be like someone say I have a great idea for a computer. We shall name it UNIVAC...

Re:Still don't see what it has to do with teleprin (1)

bsharp8256 (1372285) | more than 2 years ago | (#36962042)

It would be like someone say I have a great idea for a computer. We shall name it UNIVAC...

Great idea!

Re:Still don't see what it has to do with teleprin (1)

grimmjeeper (2301232) | more than 2 years ago | (#36963234)

Or, perhaps, I want to make a new operating system that can run multiple copies of Unix. Though I want the name to mean something other than just a play on Unix. I'll change the last couple of letters and call it Multics for "Multiple Computer Servers"...

Re:Still don't see what it has to do with teleprin (0)

Anonymous Coward | more than 2 years ago | (#36963244)

Now I've finally got a use for the ASR-33s in my garage! Will the rotary-dial one work with this?

Re:Still don't see what it has to do with teleprin (2)

Marillion (33728) | more than 2 years ago | (#36963370)

There is an old tradition of airport telex machines (still in use today) being used to communicate with the outside world in the days before the Internet. Just before a massive crackdown, dictators would shutdown all phone lines going out of the country but overlook the airport telex circuits.

Stop Interfering In Their Internal Affairs! (0)

Anonymous Coward | more than 2 years ago | (#36961478)

I appreciate the idealism and effort of this author, but why the fuck should he be trying to involve himself or be so concerned over other countries issues with respect to censorship?

Some countries and their respective governments don't have the same western notion of free speech, I think its only fair we stay out of these fights. Why do outsiders think they know what is better for their countries?

Its too bad, but I think we shouldn't be trying to help get around their laws and ways of life.

Re:Stop Interfering In Their Internal Affairs! (1)

YodasEvilTwin (2014446) | more than 2 years ago | (#36961546)

So your basic position is that governments should be able to do whatever they want, and individual citizens should never be helped to do anything the government doesn't like? I hardly think the average Chinese citizen thinks that they shouldn't be allowed to access a website just because their communist overlords decided they weren't allowed to. Blocking websites isn't a "way of life".

Re:Stop Interfering In Their Internal Affairs! (1)

houghi (78078) | more than 2 years ago | (#36962038)

So your basic position is that governments should be able to do whatever they want, and individual citizens should never be helped to do anything the government doesn't like?

Hey, it works for the Americans, so why should it not in other countries?

Re:Stop Interfering In Their Internal Affairs! (1)

HarrySquatter (1698416) | more than 2 years ago | (#36964742)

I hardly think the average Chinese citizen thinks that they shouldn't be allowed to access a website just because their communist overlords decided they weren't allowed to.

Then you know very little about the culture of the Chinese.

Re:Stop Interfering In Their Internal Affairs! (4, Insightful)

MozeeToby (1163751) | more than 2 years ago | (#36961570)

They're called Human Rights, not Citizen Rights. In the same way that many people feel it is immoral to sit by and watch another man starve, there are many people who believe it is immoral to sit by and watch other people be denied the basic Human Right of free communication and access to knowledge.

Re:Stop Interfering In Their Internal Affairs! (0)

Anonymous Coward | more than 2 years ago | (#36961808)

I think it's immoral for anyone, man or government, to steal from me.

Re:Stop Interfering In Their Internal Affairs! (0)

Anonymous Coward | more than 2 years ago | (#36961912)

Ah, another tea party 'patriot'.

Re:Stop Interfering In Their Internal Affairs! (3, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#36961624)

I'm afraid that my way of life obligates me to meddle in other people's affairs and ways of life. This is a cherished custom I inherited from my ancestors, and one of the vital elements of my culture. Without it I would be culturally rootless and alienated.

Please try to be sensitive and respect my deeply held customs and beliefs, rather than arrogantly forcing me to conform to yours.

Re:Stop Interfering In Their Internal Affairs! (0)

Anonymous Coward | more than 2 years ago | (#36961820)

If I had mod points, you would get them.

To many people, helping others is an important part of their lives, even if that help goes to someone in another country.

Re:Stop Interfering In Their Internal Affairs! (1)

colinrichardday (768814) | more than 2 years ago | (#36963898)

But if my culture obligates me to be insensitive to your culture?

Re:Stop Interfering In Their Internal Affairs! (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#36970004)

I think, at that point, that we resort to some unpleasant Ultima Ratio Regum style solution and see whose culture happens to have developed more efficient means for wiping out the hosts infected by the other's...

Re:Stop Interfering In Their Internal Affairs! (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#36970200)

In seriousness, both about the above and about my original post, this really illustrates a fairly important distinction within the set of things that fall under "culture", and which affects how cultural tolerance/intolerance, diversity, etc. work:

There are, first those elements of culture which are not mutually exclusive, or mutually exclusive in such a limited sense(oh noes! If I try to eat more than three traditional evening meals from different cultures in the same night I will be too full!) as to not matter. Funny clothes, weird food items, culturally sanctioned 'my invisible friend and/or the traditions of my ancestors say that these are my days off' days, etc. These occassionally cause minor inconveince, sometimes cause modest advantages(like Chinese take-out, or the fact that it's easier to find people to take the Christmas shifts when you've got people who aren't even culturally linked to Abrahamic monotheisms on staff...)

However, "culture" deals with more than food items and traditional dress and whatnot. It also covers things like the legitimate distribution of power, the legitimate users of force, and the legitimate circumstances, and victims, of that legitimate force. These things are mutually exclusive. You cannot have a divide-right monarch and a constitutional representative democracy as the simultaneously supreme governing power. Neither is compatible with a theocratic state.

At some point, in order to constitute a society, you pretty much have to declare a given set of cultural priorities supreme in the mutually-exclusive stuff that it defines. Some such declarations create vastly greater impositions than others on members of other cultural groups(eg. "your entire religion is heathenish satan worship, it is hereby suppressed." vs. "nope, sorry, stoning people for ritual uncleanness is murder under the law, you'll have to give that up or face the slammer."); but they all create some. You just have to decide which toes get stepped on.

Re:Stop Interfering In Their Internal Affairs! (2)

WrongSizeGlass (838941) | more than 2 years ago | (#36961768)

I appreciate the idealism and effort of this author, but why the fuck should he be trying to involve himself or be so concerned over other countries issues with respect to censorship?

Some countries and their respective governments don't have the same western notion of free speech, I think its only fair we stay out of these fights. Why do outsiders think they know what is better for their countries?

Its too bad, but I think we shouldn't be trying to help get around their laws and ways of life.

Because it is other countries at the moment but there will come a day in the relatively near future that some restrictions are placed upon those of us in 'free' countries.

Re:Stop Interfering In Their Internal Affairs! (1)

jythie (914043) | more than 2 years ago | (#36961852)

This is an important point.... I find it amusing that some of the technologies that the US government helped fund to thumb their noses at China are now being decried in the US with the same agencies scrambling to find ways to break them. Fighting for the freedom of Chinese citizens, but freaking out when their own use the same protections.

Telex (0)

Anonymous Coward | more than 2 years ago | (#36961490)

"Telex" is something completely different. I can't take someone seriously when they make that sort of schoolboy error. You might as well call it "Microsoft".

How can this work? (2)

elFisico (877213) | more than 2 years ago | (#36961498)

What is hindering the oppressive regime to install its own telex-routers at the boundaries and filter out all telex-requests? Or, to use the analogy: why shouldn't the regime just block all coloured envelopes?

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36961550)

http://en.wikipedia.org/wiki/Steganography

All envelopes are colored. You can't just "block every envelope" without turning the entire Internet off.

Re:How can this work? (1)

Osgeld (1900440) | more than 2 years ago | (#36962032)

yea its not that hard to turn off the Internet when government does not want you to have it

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36961566)

I always laugh when people talk about oppressive regimes. Like China? Like the UAE and Iran?

With regards to digital rights, America IS a fucking oppressive regime. Give the choice of this new soviet union, I root for China.

Re:How can this work? (1)

jythie (914043) | more than 2 years ago | (#36961868)

While the US has problems and I agree we need to fight them.. it is no where on the scale of China/UAE/Iran.

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36962566)

Yeah, that's borderline disgusting. The US isn't exactly perfect and the digital rights stuff is getting pretty bad but have you even paid attention to the human rights violations of China? Don't you remember all the protests over the Olympics going there? People didn't pull that particular problem out of their butts!

America has done some screwed up stuff but, for the most part, you don't have to worry about the government taking you away in the middle of the night to your death. It's like comparing Lucky Luciano to Hitler. Yeah, Luciano was no saint, but who has the higher body count?

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36961576)

What is hindering the oppressive regime to install its own telex-routers at the boundaries and filter out all telex-requests? Or, to use the analogy: why shouldn't the regime just block all coloured envelopes?

I think you're supposed to say "why shouldn't the regime just block all african-american envelopes?" these days

Re:How can this work? (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#36961586)

The theory, I'm assuming, is that by building the side-channel into SSL interactions with neutral parties, they are making it much harder to block the side-channel without also blocking a great deal of "legitimate" activity that the regime would find useful.

Banking, commerce, the sort of stuff that induces the regime to not just block the whole damn internet. By doing that, instead of using a custom protocol, or using an SSLed connection to welovedissidentsinothercountries.us, both of which would be pitifully trivial to block, they would force the regime to either block a whole lot of economically useful traffic, or substantially degrade its security(the banks, for instance, are presumably already cooperating, so forcing them to drop SSL just makes it easier for the hackers...)

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36961752)

But that doesn't quite work either, does it? Assuming that Telex uses the previously "random" information to request sites using a specific protocol, it should be trivial to intercept and dump only requests containing the extra Telex information. Normal SSL requests would pass unfettered. This assumes the Telex protocol / encoding is public, but if it is not, it simply becomes another cat and mouse.

Alternatively, if it is possible to read the random information without reading the encrypted data, would it be possible to modify the random (i.e., Telex) information? Or is there something else (hashing functions perhaps) preventing this?

Re:How can this work? (1)

elFisico (877213) | more than 2 years ago | (#36961836)

Exactly my point. Without a secret that is known only to the client and the "good" router but not the regime the whole scheme falls apart...

Re:How can this work? (1)

icebraining (1313345) | more than 2 years ago | (#36962066)

But if the Telex routers can detect the side message without breaking the SSL encryption, why couldn't the government routers?

In fact, why couldn't the government install Telex routers in every ISP they control, but modify the software to drop instead of forwarding the requests?

Re:How can this work? (1)

AJH16 (940784) | more than 2 years ago | (#36962240)

This was exactly my question as well. It relies on an uninvolved party being able to recognize and redirect the request which would seem to render the entire system useless if the censor can get access to a router that recognizes the data to be forwarded. It could then be stripped or blocked. I've yet to hear a good explanation of how the system is supposed to avoid this issue.

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36962708)

The system appears to rely on a cryptography/stenographic principle that only the holder of some private key is even able to detect the presence of a stenographic message in an encrypted message.

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36964330)

RTFP.
It's because it's plausibly deniable communication. You use public key cryptography to generate the seed inside the SSL handshake, and the censors don't have your key. If they gain your key, then the web of trust begins to detect that you and new keys seeded from your key are evil, and closes their access to the system. Without a valid key, you cannot differentiate legitimate SSL from Telex.

My other comment:
http://yro.slashdot.org/comments.pl?sid=2360828&cid=36964222

Grok!

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36973230)

The Telex routers need a private key in order to detect or decrypt Telex requests.

https://telex.cc/qa.html#censor-deploy

Re:How can this work? (1)

Baloroth (2370816) | more than 2 years ago | (#36961668)

Exactly. The message has to be freely readable by any Telex routers, so presumably it has to be a fairly well known and distributed system (you can't just communicate with one router, since you don't know exactly how it'll be routed). Ideally, you could prevent the sale of Telex routers to that country, which might slow it down a bit, and presumably using the wonders of asymmetrical crypto the user software wouldn't be enough to decode the routing message. So it could work, but only in a pretty limited way.

The basic idea seems interesting, though, as it would render the network itself a proxy, rather than routing through a single machine. Be really cool if there was a way to do this so that even knowing the exact details of the system, the host government couldn't stop the message, much as public key crypto can't* be broken even knowing the public key. Don't know if that would be possible, though.

*In the time before the end of the universe, anyways.

Re:How can this work? (0)

Anonymous Coward | more than 2 years ago | (#36961914)

So what would stop your favourite regime from playing the man-in-the-middle on ssl connections ?
Thereby cutting the side channels on their border ssl proxies.

They'd provide their own replacement certs and require every browser to trust them.
And of course they'll claim additional security for the average citizens (Because their 'experts' will deal with all these incompetent CAs out there, blocking the corrupted malware infested stuff...).

Re:How can this work? (1)

mossholderm (570035) | more than 2 years ago | (#36961710)

What is stopping them is the fact that you have to be one of the appropriate telex destinations to even tell that a telex message is passing by. If you don't know the appropriate parameters, you can't tell that the SSL connection even has a telex message inside, much less tell what the message says.

Re:How can this work? (1)

elFisico (877213) | more than 2 years ago | (#36961864)

This would imply that there is a secret shared between a "good" telex router and the client, but not the regime. How would one organize the distribution of such secrets to the clients without the regime being able to either block the distribution or sniff out the secrets?

This is just shifting the problem from the communication link level to the secret distribution level...

Re:How can this work? (1)

gcnaddict (841664) | more than 2 years ago | (#36962012)

...but there is a shared secret.

The Telex header is public key encrypted on the client-side; only the private key of the backbone can be used to even know something is there at all. Just setting up another Telex interceptor won't mean anything as the new interceptor would have to have the private key that matches the public key of the clients using the service. Otherwise, it wouldn't know what to intercept because the request would otherwise blend in with all the other noise of that https connection.

All a client needs is the public key and the requisite software. Unlike proxy sites which get blocked in droves, such a small pair of files would be almost impossible to track and block. Before long, it would just be distributed through old-fashioned hand-offs via flash drives.

Re:How can this work? (1)

elFisico (877213) | more than 2 years ago | (#36964946)

OK, this finally makes sense. So it is steganography as well as encryption. Now I get it! :-)

And there is no way to corrupt the side-channel-information?

Re:How can this work? (1)

bgt421 (1006945) | more than 2 years ago | (#36962710)

The answer is public-key cryptography, where I can send you a message encrypted with your public key, and only you (who knows the matching private key) can decrypt the message. A high-level analogy is sending everyone a box that they can close and lock, but only you have the key to unlock. It's impractical to obtain a private key given a public key. The tags or "secret messages" -- the colored notes in the analogy -- are messages encrypted with the public key of the Telex system in use. The initial analysis by the researchers indicates that it is infeasible to determine if the a tag is actually a tag or just a random number. Only a Telex server can tell if the field that holds the tag is a tag or not. Compromising the tag system in the way you describe would require compromising the private key from the Telex system. This would require quantum computing or espionage (stealing the key from the Telex system). It's a neat solution, actually.

Re:How can this work? (1)

elFisico (877213) | more than 2 years ago | (#36965048)

Hmm, ok, now it makes sense. But wouold it be possible to corrupt the message in the side-channel without invalidating the ssl-connection? That would mean there is a way to block the transfer after all...

Re:How can this work? (1)

Lorde (1535053) | more than 2 years ago | (#36962714)

It would work because only friendly Telex stations outside of the censor's reach will be given the private key. Without the private key, it would be impossible to tell a Telex tag from a legit encryption nonce. The censor must either get hold of the private key - and the service could be built to use a new private key every few minutes - or brute force decrypt the suspected Telex tag, which is a lot more trouble than it's worth. The system operates on the same principle as RSA encryption - everyone knows how to perform the encryption/decryption process, but only a select few have the necessary keys to actually DEcrypt the message. The censor could go ahead and build as many Telex stations as they want, but unless someone gives them the private key they won't be able to tell a Telex tagged request from, say, a legit bank transaction request.

Re:How can this work? (1)

elFisico (877213) | more than 2 years ago | (#36965074)

OK, but is it possible to corrupt the side-channel message by changing a few bits that are normally not used?

Paper Tape (1)

theshowmecanuck (703852) | more than 2 years ago | (#36962892)

They might not have the right type of paper tape [wikipedia.org] . You can always encrypt the hole patterns in the paper type if they do. At least if you are talking about the Telex [wikipedia.org] that I and most of the rest of the world talk about when we use the word 'Telex'.

When I read TELEX (0)

Anonymous Coward | more than 2 years ago | (#36961530)

I thought this was an article about the old terminal program for calling BBSs.

Re:When I read TELEX (1)

1s44c (552956) | more than 2 years ago | (#36961734)

That's Telix, not telex.

Minimal benefit (0)

Anonymous Coward | more than 2 years ago | (#36961672)

The traffic is secure but the destination is not, benefit is minimal.

Can't the oppressive regime modify and install some of these routers themselves and use them to figure out who is trying to access "banned" websites? Sure, they might not be able to read the communication itself, but simply going to a banned website is generally enough to find yourself in prison.

These telex routers might help things along, but they don't solve the problem.

Also, this assumes that encryption is even allowed in the first place. Simply sending traffic with SSL is some places might get your arrested, even if you're not visiting a banned website. Remember when RIM was going to be kicked out of Saudi Arabia until they agreed to give the government the ability to decrypt every transmission over their network?

Slashdot regular contributor? (0)

Anonymous Coward | more than 2 years ago | (#36961748)

Please. The correct phrase is Frequent Slashdot contributor [google.co.uk] Bennett Haselton.

Telex? Couldn't think of a better name? (3, Informative)

Bill_the_Engineer (772575) | more than 2 years ago | (#36961786)

Seriously Telex is not only a brand name of communications equipment, but its also a name of a very old and still used protocol.

Re:Telex? Couldn't think of a better name? (0)

Anonymous Coward | more than 2 years ago | (#36962134)

Are you sure you don't mean Teletex ?

Re:Telex? Couldn't think of a better name? (1)

Xocet_00 (635069) | more than 2 years ago | (#36962154)

He might also mean the old DOS BBS client called Telix.

Re:Telex? Couldn't think of a better name? (1)

OverlordQ (264228) | more than 2 years ago | (#36962242)

Are you sure you don't mean Teletex ?

No, Telex [wikipedia.org] . From the intro blurb for Teletex: Not to be confused with Telex or Teletext.

Re:Telex? Couldn't think of a better name? (0)

Anonymous Coward | more than 2 years ago | (#36962342)

That's the hardware, not a protocol.

Re:Telex? Couldn't think of a better name? (1)

subk (551165) | more than 2 years ago | (#36965154)

No, Telex [wikipedia.org]

Still the wrong Telex. I think he meant Telex [telex.com]

Re:Telex? Couldn't think of a better name? (0)

Anonymous Coward | more than 2 years ago | (#36962422)

And now I have to find Radiohead's The Bends.

mod Mup (-1)

Anonymous Coward | more than 2 years ago | (#36961810)

Telex (1)

Osgeld (1900440) | more than 2 years ago | (#36961892)

Has survived for decades and still lingers on today in special situations, thanks

new Telex() (3, Funny)

MacGyver2210 (1053110) | more than 2 years ago | (#36961928)

Error: Symbol 'Telex' already defined.

would work? (1)

nedlohs (1335013) | more than 2 years ago | (#36962138)

Yeah right, after all that huge effort to get ISPs in variouss places to spend money installing something their own customers don't use, the censoring government just aquires that hardware themselves and drops everything that it detects having "telex" crap in it (and sends the thugs to kick down the door of the guy sending the request).

Re:would work? (0)

Anonymous Coward | more than 2 years ago | (#36968348)

You don't understand the internet or this article. The censoring government would have to do the same thing to all sections of the internet that have telex routers.

Re:would work? (1)

nedlohs (1335013) | more than 2 years ago | (#36968674)

No it wouldn't. If the telex box does it's stuff - easily observable by looking at the incoming and outgoing traffic to it - then you kill that session and send the thugs.

Telex will not work in the US (1)

cjcela (1539859) | more than 2 years ago | (#36962288)

It may work in other places where the government has not power over the ISP's, but in the US of A, as of yesterday, your online activity is recorded with the help of the ISPs, so good luck trusting you can anonymously do anything online, even if they tell you it is safe. I just do not think there is any polytical will to enable this type of systems. It is not much better in other countries. This really hurts; the US use to be a bastion of personal freedoms, but of lately, the government seems to be against its own citizens on this.

Re:Telex will not work in the US (1)

ferrouswheel (903210) | more than 2 years ago | (#36968368)

Yes it will. US citizens just need to access sites in a country with a high density of Telex capable routers.

Who will build that router? (1)

Phaeilo (1851394) | more than 2 years ago | (#36962444)

So you want a router on level 7 that does a asymmetric crypto on every client_hello that's passing by. Even if such a machine existed and the border ISPs were compensated for additional costs caused by it, I doubt they'd put up with it. Traditional technologies like TOR or VPNs are already available and seem a lot less insane than "Telex".

Bennett Haselton (0)

Hognoxious (631665) | more than 2 years ago | (#36962722)

Bennett Haselton

Supplying finest chutneys, jams and marmalades to the discerning gourmand since 1853.

Ask for it by name. Accept no substitute!

Re:Bennett Haselton (1)

RespekMyAthorati (798091) | more than 2 years ago | (#36967098)

I don't get it.

Re:Bennett Haselton (0)

Anonymous Coward | more than 2 years ago | (#37006476)

I guess the point is that 'Bennet Hasleton' is a funny name. It sounds like an investment bank or a line of preppy clothings.

Problem with using SSL (0)

Anonymous Coward | more than 2 years ago | (#36962852)

As I remember from the election days in Iran, they used to delay routing SSL packets to make those who use proxies hidden under https miserable. This won't work because once they realize you have a successful path out of censorship using SSL, they will block SSL all along or use custom SSL certificate roots (which users should use because basically that's their only option). As long as you are using their pipes, there won't be a (successful) way out of their censorship.

Is Telex business? (1)

xnpu (963139) | more than 2 years ago | (#36962962)

Proxy's and VPN's are businesses. They make a profit. Our VPN and that of our closest competitors alone serve 100.000+ users in censored countries. This is quite an incentive to keep things running, and cost really isn't an issue. At all.

Who will pay for Telex?

Fighting censorship (0)

Anonymous Coward | more than 2 years ago | (#36963058)

This does not really fight censorship. Sure, it prevents third parties from being able to censor what goes through the system, like communications out of Syria for example, but it puts control of those communications into the hands of those that control the Telex system which is the ISPs and the makers of Telex. There is nothing to prevent them from censoring, or from altering the data, or simply using it as a way to track you.

If you are a reporter trying to get a story out from behind a warzone, then yes, I would recommend such a system, otherwise, stay away from it.

Don't forget who runs the country (1)

xnpu (963139) | more than 2 years ago | (#36963082)

There's no reason why these governments wouldn't require all traffic to go through a "transparent proxy". All they have to do is make a government CA in your browser mandatory (which many have already actually) and re-encrypt all connections while filtering them. Without it your connection simply gets blocked. Yes this costs a lot of resources but you're talking about something that would receive military-style budgets given it's purpose. In the end it's Cisco eating two sides of the pie and everybody else just wasting more money.

Lets try it (1)

hey (83763) | more than 2 years ago | (#36963674)

Maybe there are some billionaires out there who want to throw a few bucks at this? BillG, RichardB?

Simple answer (0)

Anonymous Coward | more than 2 years ago | (#36964222)

"If any backbone provider (or government entity) wanted to go to that trouble to support the cause of fighting Internet censorship, why wouldn't it be much more straightforward for them to just set up proxy websites themselves?"

The answer to this question is simple: the government won't set up proxies because proxies are trivially detected and blacklisted via automated scanning and DPI. China banned the entire Tor network in a day and has 24 hour response time on new "stealth" Tor nodes. Even if you spun up a million proxies in a day, DPI would find them all on the first request and add them to the blacklist. The next generation censorship technologies sold to China by Cisco have effectively removed proxies as a viable technique.

"Telex", on the other hand, unless it can be detected by scanning (and this is a key to-be-researched point), forces a censorship regime to choose between an entire routing path and censorship. Say, for instance, it was installed at the single transatlantic cable that pops out of the Pacific in San Francisco. China would have to make a choice between allowing access to any site in America and censoring their people. They would be forced to turn off the entire link. That is a HUGE impact for a modest technology.

The final mistake in this essay is the cost estimate of 100 million dollars. Look how much NSA spent installing a full tap in the same NAP where this cable enters SF. You could do this for 100k - and the reasons why escape the author, and the minimal importance of this post.

I will say however that the failure to grok displayed here is hilarious.

Just use Steganography (1)

FlyingGuy (989135) | more than 2 years ago | (#36964408)

It is all explained here [wikipedia.org] .

A simple solution (0)

Anonymous Coward | more than 2 years ago | (#36965336)

In the future all websites will be licensed. This allows the government to yank the site license whenever the holders break a law (or for any other reason they can think of). Everyone else won't care because they don't have a web site. Win/Win!

Well this is great and all but (1)

bedouin (248624) | more than 2 years ago | (#36966410)

. . . it doesn't help when the entire country has an Internet kill switch. The average teenager in a country who needs this has been dodging filtering since middle school; political activists have been keen to alternatives for years. Blocking Facebook and Twitter in Egypt taught the entire nation about Tor.

The people who really need and want unfiltered content know how to get it. I'd rather see work on wireless meshes and other alternatives, that will benefit everyone including the US as it becomes a more facist state than it already is.

This guy is biased and this article is a troll (2)

LS (57954) | more than 2 years ago | (#36968522)

As someone living and working in China, I can tell you that Bennett Haselton's size http://peacefire.org/circumventor/ [peacefire.org] is currently unreachable in China.

Once I use my personal proxy to get to his site, we find a link to a "Circumventor" site, http://www.mousematrix.com/ [mousematrix.com] . But after clicking the MouseMatrix link, it redirects to http://www.stupidcensorship.com/ [stupidcensorship.com] , which has the following message:

This IP address range has been blocked from accessing our server due to abusive traffic.

If you are a human who has been using our website, then you personally are probably not the reason that this IP address range got banned, so please send an email to bennett (at) peacefire.org with the subject line 'allow access', and include your IP address: 221.220.52.152

Sorry for the inconvenience and hopefully we can restore your access soon!

Now THAT makes a lot of sense. Block Chinese IPs from using your proxy service.

I think this guy is just an ignorant hater. Who is he? He has no technical background, and his ego is hurt when someone with an actual working solution comes along. He claims that proxies work, but they don't, not even his own. You can put thousands out there, but there are tens of thousands of people in China working for the GFW that can block them all, and that is the status quo.

Please don't give this guy any more time and front page space.

LS

Why Telex is Safer than Proxies (1)

Karger (259348) | more than 2 years ago | (#36969154)

I don't think Telex is the right approach, but it offers one important benefit over the proxy approach: deniability. It may be true that regimes don't block all proxies. But if they decide to check up on you, they can see that you are using one of the censorship evasion proxies and punish you. With Telex, it appears that you are communicating with a legitimate web site; the only way to know otherwise is to crack the encryption and see that there's a message intended for Telex.

Getting help from ISPs isn't the only way to accomplish that. For example, if you could convince major players on the internet to run Telex-like systems _on their own machines_, then a user would have deniability because they could claim they were using the legitimate services on those machines. E.g. this might be a nice thing to put Google's 900,000 servers [slashdot.org] to work on, and would be a nice payback for last year's China hacking scandal. [wired.com] . Or something that all American universities could do in the name of free speech. The obvious way to block such a system would be to block the hosting site, but that may force the censor to cut off access to useful material (e.g. the teaching content on American university sites).

But it doesn't stop there; a censor could set up an SSL proxy and force all https traffic through it, which would allow them to decrypt any communication and look for suspicious side-requests. That's why we built a system [usenix.org] a few years ago that disguises the subversive request in plain sight as a sequence of standard web browsing requests (and hides the response in images), without relying on SSL at all.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>