Forgot your password?
typodupeerror

Telex Would Work, But Is It Overkill? 92

Posted by CmdrTaco
from the kill-it-again dept.
Slashdot regular contributor Bennett Haselton wrote in this week to say that "The proposed "Telex" anti-censorship system could technically work, but unless I'm missing something, it would more cost-effective to spend the same resources on fighting censorship using existing technologies." His essay on the subject follows.

Professor Alex Halderman published a paper in July describing a new anti-censorship system called Telex, whereby users in censored countries could request banned websites by sending an encrypted request to an SSL-enabled website (i.e., a Web address beginning with https://) outside of their country -- even if the owner of the SSL-enabled website is not participating in the scheme. Since encrypted communications usually contain some random variation, that random variation can be used to embed hidden messages, which can then be decoded by any third-party observer who intercepts the communication and knows how to decode the hidden message. The third-party observer still cannot decode the original encrypted communication between the end user and the SSL-enabled website -- SSL is designed to be unbreakable by all but the intended recipient -- but the observer can decode the "side message" that was designed to be intercepted in transit. So a Telex-enabled router, in the process of passing the communication along, would notice the hidden request for a banned website, and pass the requested content back to the original user.

By analogy, suppose Mrs. Smith wants to send a letter to a friend. Mrs. Smith knows the letter will be sealed, and supposedly unopenable by the postman. But Mrs. Smith also has many choices of colored envelopes to use, and she has agreed with the postman on a color-coded system -- red for "Meet me tonight at the Motel 6", blue for "Not tonight, he suspects something" -- that the postman can "decode" when he picks up the envelope for delivery. The choice of envelope color is the "random variation" inherent in the sending of the message, which the message sender can use to send a "side message" to anyone who passes it along and who knows the system. The postman -- who is analogous to the Telex-enabled router -- has no access to the original sealed message inside the envelope, but he understands the side message just fine. (A Telex user may have no control over what routers their messages pass through, though, so they simply have to hope that there are enough Telex-enabled routers on the Internet that one of them will pick up the message and decode it. Imagine many different amorous mail carriers in the Postal Service, and any one of them who finds the colored envelope will be happy to show up at the appointed time, if Mrs. Smith is not picky.)

The novel feature of Telex is that it would not require the cooperation of the owner of the SSL-enabled website in order to work. You could send an encrypted communication to any website -- https://www.paypal.com/ for example -- and any Telex-enabled routers along the pathway traveled by the connection, would be able to decode the embedded message hidden in the randomness of the encryption. By contrast, for a user to make use of a typical proxy website like Vtunnel, the owner of the Vtunnel website has to set up the site as a proxy; this means the supply of such sites is limited to those websites whose owners have installed proxy software, and the censors have a greater chance of finding and blocking them all. Telex, on the other hand, would continue to work as long as the user in the censored country was able to access any SSL-enabled website, as long as their request happened to pass through a Telex-enabled router.

So far, so good. But this would presumably require an investment of at least several million dollars by any major backbone provider who wanted to try it, by re-configuring their major routers to speak the Telex protocol, and then potentially hundreds of millions of dollars for a sustained long-term effort. (As Halderman says, "We like to envision this technology as a possible government-level response to government-level censorship.") So here's my question: If any backbone provider (or government entity) wanted to go to that trouble to support the cause of fighting Internet censorship, why wouldn't it be much more straightforward for them to just set up proxy websites themselves?

Professor Halderman didn't respond to my inquiry on that point. The Telex FAQ notes that censorious governments can easily block new proxy sites once they find out about them. But in many censored countries, most proxy sites are not blocked, either because the government isn't trying, or they can't keep up. In China, hardly any proxy sites are blocked at all, as the government seems to put more of their resources into suppressing local dissent directly. Meanwhile in Iran, the censors do put more resources into actually blocking proxy sites -- but because Iran is on the U.S. State Department's embargo list, Iranian censors can't buy Internet censoring software from U.S. companies, so they have to find and block the sites themselves. As a result, newly released proxy sites often stay unblocked longer in Iran than they do in other Middle Eastern countries that use U.S.-made blocking software. Meanwhile, Saudi Arabia, for whatever reason, doesn't seem to block proxy sites at all for the time being. (Saudi Arabia is a strange outlier, since most conservative Islamic countries that filter the Web, also block proxy sites as well. It's not clear why Saudi Arabia doesn't.) So if a government or a philanthropist wants to help the cause of fighting censorship, just set up some proxy sites and pay to keep them running -- and you'll be helping the residents of all of those countries right away, for starters. This is in fact what Voice of America (through their various proxy programs) and the founders of UltraSurf (a privately funded network of anti-censorship servers) have been doing all along.

Even in the case of countries like U.A.E. and Yemen that are reasonably quick at finding and blocking proxy sites (as a result of using Western-made blocking software), the most cost-effective way to help these users is probably to set up more proxy sites, hosted at different locations and with perhaps with legitimate-looking "decoy" content, so that U.S. censorware companies can't keep up. My experience has been that the more money you spend (using unique IP addresses, buying .com domains instead of cheap .info ones, and setting up lots of proxies so that each one is sent to only a subset of your target audience), the longer the proxy sites last. You can also use proxy-like services (such as Tor, Hotspot Shield and UltraSurf) to route traffic through dedicated servers, to circumvent censorship in a way that is more transparent and convenient to the end user.

In short, existing proxy sites (and proxy-like services) do the job pretty well for many censored countries, and a massive cash expenditure on setting up more proxies (equivalent to the cost of setting up the Telex system) would probably be enough to demolish all other national filtering schemes completely. The software and tools to run proxy sites have already been tried and tested; all it takes to run them is money. Telex, by contrast, would require backbone providers to alter the architecture of their systems -- which means large-scale testing, isolation of any problems that arise, and countless other potential headaches. And that's not even counting the fact that censorious countries might detect which backbone providers are using Telex, and block all traffic from their countries to any sites hosted on those networks.

So I think Telex is a brilliant technical achievement, and I'd be happy if it got deployed, but I'd be scratching my head as to why the backbone providers (or the government, or whoever sponsored the effort) decided to kill a gnat with a flamethrower. I deal in flyswatters for a living, and they get the job done.

This discussion has been archived. No new comments can be posted.

Telex Would Work, But Is It Overkill?

Comments Filter:
  • Telex [wikipedia.org] is already defined...find another name.

    • Came here to say this. Reusing names within the same field is fail. If you cannot be bothered to google a term to make sure it is relatively unused, you are lazy. When you work in electronics, computers or communication and don't even realize there is a protocol called Telex already....
      It would be like someone say I have a great idea for a computer. We shall name it UNIVAC...
      • It would be like someone say I have a great idea for a computer. We shall name it UNIVAC...

        Great idea!

      • Or, perhaps, I want to make a new operating system that can run multiple copies of Unix. Though I want the name to mean something other than just a play on Unix. I'll change the last couple of letters and call it Multics for "Multiple Computer Servers"...
    • by Marillion (33728)
      There is an old tradition of airport telex machines (still in use today) being used to communicate with the outside world in the days before the Internet. Just before a massive crackdown, dictators would shutdown all phone lines going out of the country but overlook the airport telex circuits.
  • What is hindering the oppressive regime to install its own telex-routers at the boundaries and filter out all telex-requests? Or, to use the analogy: why shouldn't the regime just block all coloured envelopes?

    • The theory, I'm assuming, is that by building the side-channel into SSL interactions with neutral parties, they are making it much harder to block the side-channel without also blocking a great deal of "legitimate" activity that the regime would find useful.

      Banking, commerce, the sort of stuff that induces the regime to not just block the whole damn internet. By doing that, instead of using a custom protocol, or using an SSLed connection to welovedissidentsinothercountries.us, both of which would be pitif
      • But if the Telex routers can detect the side message without breaking the SSL encryption, why couldn't the government routers?

        In fact, why couldn't the government install Telex routers in every ISP they control, but modify the software to drop instead of forwarding the requests?

        • by AJH16 (940784)

          This was exactly my question as well. It relies on an uninvolved party being able to recognize and redirect the request which would seem to render the entire system useless if the censor can get access to a router that recognizes the data to be forwarded. It could then be stripped or blocked. I've yet to hear a good explanation of how the system is supposed to avoid this issue.

    • by Baloroth (2370816)

      Exactly. The message has to be freely readable by any Telex routers, so presumably it has to be a fairly well known and distributed system (you can't just communicate with one router, since you don't know exactly how it'll be routed). Ideally, you could prevent the sale of Telex routers to that country, which might slow it down a bit, and presumably using the wonders of asymmetrical crypto the user software wouldn't be enough to decode the routing message. So it could work, but only in a pretty limited way.

    • What is stopping them is the fact that you have to be one of the appropriate telex destinations to even tell that a telex message is passing by. If you don't know the appropriate parameters, you can't tell that the SSL connection even has a telex message inside, much less tell what the message says.
      • by elFisico (877213)

        This would imply that there is a secret shared between a "good" telex router and the client, but not the regime. How would one organize the distribution of such secrets to the clients without the regime being able to either block the distribution or sniff out the secrets?

        This is just shifting the problem from the communication link level to the secret distribution level...

        • by gcnaddict (841664)
          ...but there is a shared secret.

          The Telex header is public key encrypted on the client-side; only the private key of the backbone can be used to even know something is there at all. Just setting up another Telex interceptor won't mean anything as the new interceptor would have to have the private key that matches the public key of the clients using the service. Otherwise, it wouldn't know what to intercept because the request would otherwise blend in with all the other noise of that https connection.

          All
          • by elFisico (877213)

            OK, this finally makes sense. So it is steganography as well as encryption. Now I get it! :-)

            And there is no way to corrupt the side-channel-information?

    • by bgt421 (1006945)
      The answer is public-key cryptography, where I can send you a message encrypted with your public key, and only you (who knows the matching private key) can decrypt the message. A high-level analogy is sending everyone a box that they can close and lock, but only you have the key to unlock. It's impractical to obtain a private key given a public key. The tags or "secret messages" -- the colored notes in the analogy -- are messages encrypted with the public key of the Telex system in use. The initial analysi
      • by elFisico (877213)

        Hmm, ok, now it makes sense. But wouold it be possible to corrupt the message in the side-channel without invalidating the ssl-connection? That would mean there is a way to block the transfer after all...

    • by Lorde (1535053)
      It would work because only friendly Telex stations outside of the censor's reach will be given the private key. Without the private key, it would be impossible to tell a Telex tag from a legit encryption nonce. The censor must either get hold of the private key - and the service could be built to use a new private key every few minutes - or brute force decrypt the suspected Telex tag, which is a lot more trouble than it's worth. The system operates on the same principle as RSA encryption - everyone knows ho
      • by elFisico (877213)

        OK, but is it possible to corrupt the side-channel message by changing a few bits that are normally not used?

    • They might not have the right type of paper tape [wikipedia.org]. You can always encrypt the hole patterns in the paper type if they do. At least if you are talking about the Telex [wikipedia.org] that I and most of the rest of the world talk about when we use the word 'Telex'.
  • by Bill_the_Engineer (772575) on Tuesday August 02, 2011 @01:12PM (#36961786)
    Seriously Telex is not only a brand name of communications equipment, but its also a name of a very old and still used protocol.
  • by Osgeld (1900440)

    Has survived for decades and still lingers on today in special situations, thanks

  • new Telex() (Score:4, Funny)

    by MacGyver2210 (1053110) on Tuesday August 02, 2011 @01:23PM (#36961928)

    Error: Symbol 'Telex' already defined.

  • Yeah right, after all that huge effort to get ISPs in variouss places to spend money installing something their own customers don't use, the censoring government just aquires that hardware themselves and drops everything that it detects having "telex" crap in it (and sends the thugs to kick down the door of the guy sending the request).

  • It may work in other places where the government has not power over the ISP's, but in the US of A, as of yesterday, your online activity is recorded with the help of the ISPs, so good luck trusting you can anonymously do anything online, even if they tell you it is safe. I just do not think there is any polytical will to enable this type of systems. It is not much better in other countries. This really hurts; the US use to be a bastion of personal freedoms, but of lately, the government seems to be against
    • Yes it will. US citizens just need to access sites in a country with a high density of Telex capable routers.
  • So you want a router on level 7 that does a asymmetric crypto on every client_hello that's passing by. Even if such a machine existed and the border ISPs were compensated for additional costs caused by it, I doubt they'd put up with it. Traditional technologies like TOR or VPNs are already available and seem a lot less insane than "Telex".
  • Bennett Haselton

    Supplying finest chutneys, jams and marmalades to the discerning gourmand since 1853.

    Ask for it by name. Accept no substitute!

  • Proxy's and VPN's are businesses. They make a profit. Our VPN and that of our closest competitors alone serve 100.000+ users in censored countries. This is quite an incentive to keep things running, and cost really isn't an issue. At all.

    Who will pay for Telex?

  • There's no reason why these governments wouldn't require all traffic to go through a "transparent proxy". All they have to do is make a government CA in your browser mandatory (which many have already actually) and re-encrypt all connections while filtering them. Without it your connection simply gets blocked. Yes this costs a lot of resources but you're talking about something that would receive military-style budgets given it's purpose. In the end it's Cisco eating two sides of the pie and everybody else

  • Maybe there are some billionaires out there who want to throw a few bucks at this? BillG, RichardB?

  • It is all explained here [wikipedia.org].

  • . . . it doesn't help when the entire country has an Internet kill switch. The average teenager in a country who needs this has been dodging filtering since middle school; political activists have been keen to alternatives for years. Blocking Facebook and Twitter in Egypt taught the entire nation about Tor.

    The people who really need and want unfiltered content know how to get it. I'd rather see work on wireless meshes and other alternatives, that will benefit everyone including the US as it becomes a mor

  • by LS (57954) on Wednesday August 03, 2011 @12:28AM (#36968522) Homepage

    As someone living and working in China, I can tell you that Bennett Haselton's size http://peacefire.org/circumventor/ [peacefire.org] is currently unreachable in China.

    Once I use my personal proxy to get to his site, we find a link to a "Circumventor" site, http://www.mousematrix.com/ [mousematrix.com]. But after clicking the MouseMatrix link, it redirects to http://www.stupidcensorship.com/ [stupidcensorship.com], which has the following message:

    This IP address range has been blocked from accessing our server due to abusive traffic.

    If you are a human who has been using our website, then you personally are probably not the reason that this IP address range got banned, so please send an email to bennett (at) peacefire.org with the subject line 'allow access', and include your IP address: 221.220.52.152

    Sorry for the inconvenience and hopefully we can restore your access soon!

    Now THAT makes a lot of sense. Block Chinese IPs from using your proxy service.

    I think this guy is just an ignorant hater. Who is he? He has no technical background, and his ego is hurt when someone with an actual working solution comes along. He claims that proxies work, but they don't, not even his own. You can put thousands out there, but there are tens of thousands of people in China working for the GFW that can block them all, and that is the status quo.

    Please don't give this guy any more time and front page space.

    LS

  • I don't think Telex is the right approach, but it offers one important benefit over the proxy approach: deniability. It may be true that regimes don't block all proxies. But if they decide to check up on you, they can see that you are using one of the censorship evasion proxies and punish you. With Telex, it appears that you are communicating with a legitimate web site; the only way to know otherwise is to crack the encryption and see that there's a message intended for Telex.

    Getting help from ISPs isn't

My problem lies in reconciling my gross habits with my net income. -- Errol Flynn Any man who has $10,000 left when he dies is a failure. -- Errol Flynn

Working...