Researchers Debut Proxy-Less Anonymity Service 116
Trailrunner7 writes "As state-level censorship continues to grow in various countries around the globe in response to political dissent and social change, researchers have begun looking for news ways to help Web users get around these restrictions. Now, a group of university researchers has developed an experimental system called Telex that replaces the typical proxy architecture with a scheme that hides the fact that the users are even trying to communicate at all."
Subject-Verb Agreement (Score:2, Funny)
Re: (Score:2)
"news ways" too. The typos are straight from TFA though.
Re: (Score:3)
Re:Subject-Verb Agreement (Score:5, Funny)
Re: (Score:2)
It's a quote. You are not obligated to correct it, and if you do, you must signify that you've done so.
Re: (Score:3, Informative)
That is why the [sic] notation exists, though, to make sure your pedantic readers know that it wasn't your screw-up.
Re: (Score:1)
Can I just do this to completely abdicate responsibility for my own grammar?
[sic]The following words are grammatically and syntactically flawless[/sic]
Re: (Score:1, Flamebait)
These grammar Nazis all really wanted to be secretaries, so they could sit on the bosses lap and play with his Dictaphone!
Re: (Score:1)
Um. excuse me? (Score:5, Insightful)
The key innovation in Telex is that it uses "stations" installed at ISPs to recognize and reroute specially tagged requests from clients trying to reach censored sites.
Oh, right... We can fully expect our friendly ISPs to go along with this nice, convenient fully centralized 'service'... Pleeeze
Re: (Score:1)
Re:Um. excuse me? (Score:5, Insightful)
Even if they went along with this "service", all it takes is one of the Four Horsemen of the Infoclypse (as Tim May put it) to rear their ugly heads through the connection, and the ISP will either stop running the station, or make sure they have thorough logging.
Re:Um. excuse me? (Score:5, Interesting)
Re: (Score:2)
True, but the traffic has to come from somewhere outgoing, and pretty much the ISP will be in hot water unless they have some address to cough up, be it a node previous in the chain, or an actual person. Same problem happens with TOR exit nodes, which is why there are so relatively few of them.
Re: (Score:2)
This is not a solution for anonymity like TOR at all. In fact, I don't see it providing anonymity as a goal. To say that it is providing it is extremely misleading and I can understand why a lot of people are ripping it apart.
However, this is a fairly good idea. You just have to limit the scope of this to HTTPS requests that come from countries which engage in censorship. So while it is not for American or EU citizens to use for anonymity, it could be quite useful to Pakistan, China, Australia, etc.
Even
Re: (Score:1)
> This is not a solution for anonymity like TOR at all. In fact, I don't see it providing anonymity as a goal. To say
> that it is providing it is extremely misleading and I can understand why a lot of people are ripping it apart.
Read his post again - that's not what he was saying.
Re: (Score:2)
But will any ISP implement the Telex system?
1) it needs to change their network to route the HTTPS request to pass through the "stations"
2) if the ISP is discovered, it's very likely that it would be blocked by the censoring governement.
IMHO a good idea would be first to implement "Telexed website": it can be blocked as any website, but at least users who would use the Telex-proxy of the website would be "anonymous"(*) among the normal users of the website.
This "stealthiness" is a big advantage of "Telexed
Re: (Score:1)
From what I've seen, two ponies and a small dog would probably be enough.
Re: (Score:2, Funny)
Four Horsemen of the Infoclypse (as Tim May put it)
The 90's called: they want their paranoid meme back.
Re: (Score:2)
drug-dealers: http://www.tsa.gov/press/happenings/seattle_drug_bust.shtm/ [tsa.gov]
money-launderers: http://www.techdirt.com/articles/20110605/22322814558/senator-schumer-says-bitcoin-is-money-laundering.shtml/ [techdirt.com]
terrorists: http://blog.tsa.gov/2010/11/new-tsa-pat-down-procedures.html/ [tsa.gov]
pedophiles: http://news.cnet.com/8301-31921_3-20078653-281/police-internet-providers-must-keep-user-logs/ [cnet.com]
These are all from this decade. It may be an old meme but it is still relevant.
Re: (Score:2)
The 1950'ies called, they want their teleprinter network back. http://en.wikipedia.org/wiki/Telex [wikipedia.org]
Re: (Score:2)
yes, it *is* a proxy.
The innovation is the method of disguising the fact they you are using a proxy and removing the need for the user to manage access to the proxy.
Re: (Score:2)
What's the freaking point of all this just to avoid using proxy? At least you can mask the purpose of a proxy. This is advertising only 1 purpose.
Re: (Score:2)
Oh, right... We can fully expect our friendly ISPs to go along with this nice, convenient fully centralized 'service'... Pleeeze
Worse than that, the ISPs would have to perform deep packet analysis and attempt decryption on every HTTPS connection going though their core routers. Any design that depends on increasing CPU load on core routers by at least an order of magnitude just isn't going to work.
Also the system relies on ISPs, many of them, keeping the magic private key secret from whoever the censor is. That's much too risky to bet your freedom on.
Re: (Score:2)
They even put this punchline on their website:
The main idea behind Telex is to place anticensorship technology into the Internet's core network infrastructure, through cooperation from large ISPs.
BWAHAHAHA!
Re: (Score:2)
They even put this punchline on their website:
The main idea behind Telex is to place anticensorship technology into the Internet's core network infrastructure, through cooperation from large ISPs.
BWAHAHAHA!
... though massive expenditure on new equipment by large ISPs ...
BWAHAHAHA Indeed, this can't work.
Bad assumption (Score:4, Interesting)
The bad assumption is that government controlled ISPs in said censored nations won't make their own Telex nodes and just intercept traffic before it reaches the web at large. The really bad assumption is that other ISPs between the end user and the fake destination will have Telex nodes to do the dirty work. This method seems to be screaming MITM me.
Re:Bad assumption (Score:5, Interesting)
I don't think just any node could interpret the message. It would be built specifically for the node they are using. It also doesn't imply anything about not using other security. The telex message could be (and probably should be) an encrypted communication, so the telex node would just know where it's going, not what it means.
Basically, all this does is allow any website to act as a proxy without being obvious that they're a proxy. It's an interesting idea, but I don't think it has any chance of working. Governments will identify possible nodes through either technological means or just good old "social engineering" (snitches) and simply shut off all access to those sites. Or they'll take it a step further and restrict all sites except for a whitelist.
Re: (Score:2)
That was my first thought too, but I think the fact that they use https connections to real websites, and that the boxes use a private key, should mean that the government box wouldn't work unless they got access to the private key. I'm still not sure if it would work well in practice, but at least this aspect shouldn't be a problem.
Re: (Score:2)
or they could be like most governments and have a trusted signing CA and just be a MITM for the SSL traffic.
Re: (Score:2)
A different way to look at the assumption is, the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.
And the telex client software will change the public keys used to sign the encrypted requests periodically via some update mechanism. This will ensure that ISPs that had claimed to be anti-censorship earlier to get hold of telex boxes with private keys can not turn on their censor filters later and use the old telex boxes to intercept t
Re: (Score:2)
A different way to look at the assumption is, the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.
So I can't make a telex node -- some other guy has to do it? And if I can make a telex node, my unfavoritest governments can make thousands of them.
Re: (Score:2)
> the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.
That won't work unless they also make it against their Usage Policy for totalitarian governments to use a third-party to purchase a "telex" node. Then it will be safe.
Re: (Score:1)
The idea is that the ISP providing the service is in a friendly country that hates censorship. They can connect to any website that goes through that ISP to use the Telex service.
"Telex" is old and still around. (Score:2)
I remember Telex ads from when I was a kid. Lo and behold, Telex is actually still around. [wikipedia.org]
Re: (Score:2)
Yep, the old 910 NPA.
Re: (Score:1)
Funny, the Wikipedia article also mentions TOR (Telex-on-Radio in this case).
Re: (Score:2)
That and my first Windows-based dial-up client was called Telex. Trademark Infringement? ;-)
Re: (Score:2)
Mod myself as parent down... My first *DOS*-based Dial-Up client. DOH!
Re: (Score:2)
That and my first Windows-based dial-up client was called Telex. Trademark Infringement? ;-)
No, it was probably called Telix
http://en.wikipedia.org/wiki/Telix [wikipedia.org]
If I recall correctly, its primary claim to fame in the 80s was having both a decent zmodem download client built in, and zmodem autostart. Also I liked its phonebook menu, which neatly held all the BBSes I called. And it had a nice redialer.
It was pretty much the ideal terminal program in the pre-windows era.
Procomm was about as good, and had a nicer scripting language, but they wanted a huge amount of money for it.
Re: (Score:2)
Which the unix program minicom is closely based upon.
Re: (Score:2)
Digging down into the links on the discussion page of that article:
Apparently in some countries Telex has a legal status that other communications don't neccesarily have. I'm guessing it's been judged to be evidence of a contract since it is reasonably well authenticated.
eg: "We sent you a Telex ordering N tons of commodity Y by date X and received a confirmation from you." would be admissible in court as a signed contract.
i stopped reading after that (Score:2)
although i am probably missing something.... but uhm. relying on your ISP to shield you from this stuff seems pointless.
Re: (Score:2)
In other news (Score:2)
Today a civil liberties advocate announced his invention of a police brutality reporting system, consisting of a special data recorder carried by police officers.
Re: (Score:2)
The key innovation is that those ISPs are expected to perform deep packet analysis and decryption on every HTTPS connection passing though them.
The costs in router upgrades would be incredible if this is even possible at all.
all we have to do (Score:2)
is install magic boxes in the same ISP that is cutting off information
and add on the fact that telex is a commercial service still in use and there you have it ... effin brilliant scheme guys
Re: (Score:3)
Not the same ISPs. ANY ISP that is on the traceroute to uncensored websites allowing https.
And the local ISP won't even know there is anything special with the network traffic as this uses public steganography in encrypted data streams.
Only somebody who has the private key can know the data are "special". So the only remaining attacks on this are:
- steal a private key from a trusted organization
- spoof a private key (Bad people can create the "TRUSTME" service, get people to trust it and spy on them)
- block
Re: (Score:3)
Not the same ISPs. ANY ISP that is on the traceroute to uncensored websites allowing https.
One of the ideas of the Internet is that routing can change at a moment's notice to "route around failures". The traceroute you run now may have a different result than one you ran a minute ago.
In other words, the packet you send to site A can travel over any route between you and A, and it will not necessarily always go through Telex site B.
Now, the packets that Telex site B send to Censored site C on your behalf will get through because it doesn't matter what route you used to get to B, B is talking t
Proxy-less (Score:5, Insightful)
Okay, so we rename the proxy a "station" and now we can call it proxy-less?
Re: (Score:2)
No. The names are not important but the difference is that anyone sniffing your traffic can't tell you are communicating with a 'station' at all.
Read the article, it's quite interesting and pretty short. It's also quite impossible due to cost and cooperation issues.
Re: (Score:2)
> Okay, so we rename the proxy a "station" and now we can call it proxy-less?
They should have named these stations "hidden proxy", because the difference between these "stations" and normal proxys is that users don't have to connect to a proxy IP address as the "Telex ISPs" redirect all the HTTPS connexions requests through these "Telex stations".
It becomes much more difficult for the censoring government to detect who is trying to escape the censorship..
Looks like port knocking to me, just with params (Score:3)
It would be easier to configure a web service which recognized X keyword searches from the same session to convert the session to a port forwarding ssh session to an appropriate proxy.
( google search on book, monkey, tuesday, and blue gets you ssh forwarded to privoxy.com, etc. )
your https connection stays to the main site, & it just forwards the data .
Re: (Score:2)
isn't this just data masquerading? you'd still see bytes flowing, so how is it better than vpn or whatever?
Re: (Score:2)
vpn requires local software / possibly alternate ports to initiate.
Proxies do not require local software, but have central points that can be blocked.
better method would be to have simple looking sites have "backdoors" that could be used to exit normal mode, and establish new session with hidden services.
Re: (Score:2)
The difference is that it would not be dependent on the end point site supporting it (in which case the end point site would simply be blocked for supporting it). Instead, it moves the redirect down a level and makes it blend in with a normal HTTPS connection. When it passes over a Telex enabled router, it gets changed out and redirected. The primary problem I see with the system is that all a censor has to do is get the magic box on their own routers and suddenly they can see the traffic and tell where
Friendly countries (Score:3)
Telex? (Score:2)
What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?
Re: (Score:3)
What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?
The point is to signal that they're noobs hence not to be trusted with sensitive traffic.
I've got an idea, how about freenet and/or i2p? That might work. With namecoins for domain registration? Naah I'll never get that past the NiH filter.
My favorite part about freenet and i2p is "recently" at least on headless linux boxes, they could be installed together, but having made the mistake of being implemented in Java, one sort-required a very specific version of the official sun JRE and the other required an
Re: (Score:2)
What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?
I think that this answers your question (from TFS)
a scheme that hides the fact that the users is even trying to communicate at all.
Re:Telex? (Score:4, Funny)
What's the point of naming it Telex [wikipedia.org]? ...
I think you might have missed the point. The freedom-friendly ISP routes the connection across the near-defunct Telex network, and therefore bypasses censorship.
Of course, the websites you browse only display upper-case characters and EBCDIC Art graphics.
Re: (Score:2)
What's the point of naming it Telex [wikipedia.org]? ...
I think you might have missed the point. The freedom-friendly ISP routes the connection across the near-defunct Telex network, and therefore bypasses censorship.
Of course, the websites you browse only display upper-case characters and EBCDIC Art graphics.
Arbitrary data can be encapsulated so that it can traverse limited character bottlenecks like this. I believe UUENCODE/UUDECODE does this.
Re: (Score:2)
Arbitrary data can be encapsulated so that it can traverse limited character bottlenecks like this. I believe UUENCODE/UUDECODE does this.
And sensitive or private data can be ROT13'd before or after UUENCODEing it (or both, for twice the protection!)
Telex? (Score:2)
I used to send my FX orders to Sydney, Tokyo and Sing by telex. You mean its made a come back? The new stealth: 110 baud!
A New, Better Scheme (Score:1)
I, Anonymous Coward, hereby debut my own, better scheme:
Each user utilizing this privacy filter simply asks their ISP, government, mail provider, OS manufacturer, neighbor, IT admin, etc. not to track them!
It's as simple as that!
Re: (Score:2)
Why yes! Ingenious!
Most importantly we already have the (theoretical) framework in place - RFC 3514 [ietf.org] - it only needs minor extension with "PLZ_ANON" bit .
Re: (Score:2)
Ah, the FTC approach!
What prevents... (Score:1)
The offending government from loading Telex, harvesting the end points and blocking those?
Re: (Score:2)
The government's telex station can't detect the telex communication unless they also happen to have the private key from the intended Telex station.
This is actually pretty clever, assuming it works. I'm always suspicious of anything that depends on stenography.
Re: (Score:2)
don't be dissing the paper tape! that saved a lot of re-typing!
Taco, whassa mattah wit you? (Score:4, Insightful)
As state-level censorship continues to grow..
FTA: Widespread ISP deployment might require incentives from governments.
Can you see the little flaw in this whole concept yet?
Re: (Score:1)
If there was One World Government, then yes. As it is, governments such as the United States have an interest in foiling the censorship efforts of other governments such as Iran or China. Thus, key state support to circumvent state-level censorship is hardly unreasonable, at least for a fairly large subset of state-level censorship that's out there.
Re: (Score:2)
So the Chinese would rely on US ISPs to read about Tiananmen Square, and Americans would rely on Chinese ISPs to find streams of sporting events?
Re: (Score:2)
Other governments, I assume. The Internet is worldwide.
Not really proxy-less (Score:1)
If you have to have something running which will reroute the packets, isn't that effectively a proxy? This is just a different way of accessing the proxy. Not only that but the proxy needs to be running in the network path for the packet, when the routing isn't even guaranteed to be always the same. Would this even work outside a lab?
Uh-huh... Riiight.... (Score:2)
And I also would like to sell you this bridge I recently acquired in Brooklyn. It's totally not the right time for me to be owning a bridge.
But seriously, who is going to trust this system? It creates an enormous incentive for intelligence agencies to infiltrate as many major ISPs as they have to in order to capture the traffic and/or compromise the keys--if they haven't already infiltrated the project to parallel develop a compromised version of the product that feeds the keys straight to the CIA so that t
Re: (Score:2)
firewall rule would block this easily (Score:2)
Host Request -> some site
---other telex site responds
request dest dns host range ! = remote site range
**blocked**
If only HTTPS could be blocked... (Score:2)
... oh wait.
Re: (Score:2)
Not. Gonna. Happen.
Re: (Score:2)
In the West, certainly not. In China or Iran, however, I could see the government banning encrypted traffic. I'm a bit surprised they haven't already. At the very least, ban HTTPS and replace it with some other cryptosystem to which they hold the keys. It prevents them from foreign logins, but I thought they'd be OK with that.
Security of Anonymity (Score:1)
This is absolutely idiotic. (Score:2)
Idiotic in all possible ways -- the purpose, the name, the method, the announcement, and the results of application.
Umm, how does this work? (Score:2)
You're inside of an HTTPS connection and send spooky data that somehow this Telex box can see. How exactly can the Telex box see inside the HTTPS secured connection if the connection is supposed to be secured to this bogus back-end web site that's benign and not aware of the goofy stuff? Is this SSL connection somehow different than a normal one to these web sites and if so would that possibly make it stand out?
Crypto nerds (Score:2)
Crypto nerds are like hippies but without that strong grasp of the realities of this world.
This "idea" relies on the fact that internet traffic is routed through several places on its way. They idea is that on one of these ways, the traffic will be read and if a magic bit is detected, it will re-route this traffic to somewhere else, making it possible to do a request for google.com with a magic bit set (which I can only presume is some magic bit that won't be bloody obvious for not fitting in the very well
Bogus (Score:2)
What an overly complex bogus system. It will require tons of ISP's to cooperate to get this to work. We might as well install an SSL proxy at the border and tell the Chinese the whole world is reachable over the proxy IP only. Take it or leave it.
Year after year we see all these awesome developments which probably cost a ton but I've never heard of one really taking off. Meanwhile the Chinese are simply using commercial VPN providers or brewing their own on $3/month VPS servers.
TSA (and MAFIAA) must be drooling over this... (Score:2)
Imagine...a significant portion of the people trying to avoid monitoring of their online activities getting routed automatically through your very own Telex "station" to your own poisoned 'proxy' service, allowing full monitoring of traffic that the end user thinks is secure...
Really, there seems to be no way for the end user to verify that the Telex "station" that reroutes their request is legitimate. So instead of using peer-verified, trusted proxies, they cast their dirty laundry out on the interwebs an
Easy way to control this (Score:2)
Re: (Score:1)