Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Communications Networking Your Rights Online

Researchers Debut Proxy-Less Anonymity Service 116

Trailrunner7 writes "As state-level censorship continues to grow in various countries around the globe in response to political dissent and social change, researchers have begun looking for news ways to help Web users get around these restrictions. Now, a group of university researchers has developed an experimental system called Telex that replaces the typical proxy architecture with a scheme that hides the fact that the users are even trying to communicate at all."
This discussion has been archived. No new comments can be posted.

Researchers Debut Proxy-Less Anonymity Service

Comments Filter:
  • "users is" I'll let you guys figure it out for yourselves.
  • Um. excuse me? (Score:5, Insightful)

    by countertrolling ( 1585477 ) * on Monday July 18, 2011 @10:35AM (#36800482) Journal

    The key innovation in Telex is that it uses "stations" installed at ISPs to recognize and reroute specially tagged requests from clients trying to reach censored sites.

    Oh, right... We can fully expect our friendly ISPs to go along with this nice, convenient fully centralized 'service'... Pleeeze

    • My thoughts exactly - doesn't seem like this one will fly...
    • Re:Um. excuse me? (Score:5, Insightful)

      by mlts ( 1038732 ) * on Monday July 18, 2011 @10:55AM (#36800696)

      Even if they went along with this "service", all it takes is one of the Four Horsemen of the Infoclypse (as Tim May put it) to rear their ugly heads through the connection, and the ISP will either stop running the station, or make sure they have thorough logging.

      • Re:Um. excuse me? (Score:5, Interesting)

        by gerddie ( 173963 ) on Monday July 18, 2011 @11:33AM (#36801052)
        After reading TFA: They do not assume that your ISP has this "station", only some ISP. You tag your https request to some unblocked site by using public key code encryption to indicate that you want a secure anonymous connection. When your request packages are routed you might hit a router from an ISP who runs such a "station". This router may identify the tag and and if so, the "station" answers the request by setting up an encrypted between itself and the user (you) who can then use it like a proxy. In other words - the headline is wrong, because you still use a proxy, the only difference is that the IP of the doesn't need to be publicly known. Instead, you need to know the public key of a (group of) station(s) and hope that the traffic gets routes to pass through one of these.
        • by mlts ( 1038732 ) *

          True, but the traffic has to come from somewhere outgoing, and pretty much the ISP will be in hot water unless they have some address to cough up, be it a node previous in the chain, or an actual person. Same problem happens with TOR exit nodes, which is why there are so relatively few of them.

          • by EdIII ( 1114411 )

            This is not a solution for anonymity like TOR at all. In fact, I don't see it providing anonymity as a goal. To say that it is providing it is extremely misleading and I can understand why a lot of people are ripping it apart.

            However, this is a fairly good idea. You just have to limit the scope of this to HTTPS requests that come from countries which engage in censorship. So while it is not for American or EU citizens to use for anonymity, it could be quite useful to Pakistan, China, Australia, etc.

            Even

            • by Threni ( 635302 )

              > This is not a solution for anonymity like TOR at all. In fact, I don't see it providing anonymity as a goal. To say
              > that it is providing it is extremely misleading and I can understand why a lot of people are ripping it apart.

              Read his post again - that's not what he was saying.

        • by renoX ( 11677 )

          But will any ISP implement the Telex system?

          1) it needs to change their network to route the HTTPS request to pass through the "stations"
          2) if the ISP is discovered, it's very likely that it would be blocked by the censoring governement.

          IMHO a good idea would be first to implement "Telexed website": it can be blocked as any website, but at least users who would use the Telex-proxy of the website would be "anonymous"(*) among the normal users of the website.

          This "stealthiness" is a big advantage of "Telexed

      • by njvack ( 646524 )

        Even if they went along with this "service", all it takes is one of the Four Horsemen of the Infoclypse

        From what I've seen, two ponies and a small dog would probably be enough.

      • Re: (Score:2, Funny)

        by PvtVoid ( 1252388 )

        Four Horsemen of the Infoclypse (as Tim May put it)

        The 90's called: they want their paranoid meme back.

    • What's the freaking point of all this just to avoid using proxy? At least you can mask the purpose of a proxy. This is advertising only 1 purpose.

    • by 1s44c ( 552956 )

      Oh, right... We can fully expect our friendly ISPs to go along with this nice, convenient fully centralized 'service'... Pleeeze

      Worse than that, the ISPs would have to perform deep packet analysis and attempt decryption on every HTTPS connection going though their core routers. Any design that depends on increasing CPU load on core routers by at least an order of magnitude just isn't going to work.

      Also the system relies on ISPs, many of them, keeping the magic private key secret from whoever the censor is. That's much too risky to bet your freedom on.

    • They even put this punchline on their website:

      The main idea behind Telex is to place anticensorship technology into the Internet's core network infrastructure, through cooperation from large ISPs.

      BWAHAHAHA!

      • by 1s44c ( 552956 )

        They even put this punchline on their website:

        The main idea behind Telex is to place anticensorship technology into the Internet's core network infrastructure, through cooperation from large ISPs.

        BWAHAHAHA!

        ... though massive expenditure on new equipment by large ISPs ...

        BWAHAHAHA Indeed, this can't work.

  • Bad assumption (Score:4, Interesting)

    by Anonymous Coward on Monday July 18, 2011 @10:37AM (#36800506)

    The bad assumption is that government controlled ISPs in said censored nations won't make their own Telex nodes and just intercept traffic before it reaches the web at large. The really bad assumption is that other ISPs between the end user and the fake destination will have Telex nodes to do the dirty work. This method seems to be screaming MITM me.

    • Re:Bad assumption (Score:5, Interesting)

      by mmmmbeer ( 107215 ) on Monday July 18, 2011 @11:14AM (#36800888)

      I don't think just any node could interpret the message. It would be built specifically for the node they are using. It also doesn't imply anything about not using other security. The telex message could be (and probably should be) an encrypted communication, so the telex node would just know where it's going, not what it means.

      Basically, all this does is allow any website to act as a proxy without being obvious that they're a proxy. It's an interesting idea, but I don't think it has any chance of working. Governments will identify possible nodes through either technological means or just good old "social engineering" (snitches) and simply shut off all access to those sites. Or they'll take it a step further and restrict all sites except for a whitelist.

    • by b0bby ( 201198 )

      That was my first thought too, but I think the fact that they use https connections to real websites, and that the boxes use a private key, should mean that the government box wouldn't work unless they got access to the private key. I'm still not sure if it would work well in practice, but at least this aspect shouldn't be a problem.

      • by Amouth ( 879122 )

        or they could be like most governments and have a trusted signing CA and just be a MITM for the SSL traffic.

    • A different way to look at the assumption is, the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.

      And the telex client software will change the public keys used to sign the encrypted requests periodically via some update mechanism. This will ensure that ISPs that had claimed to be anti-censorship earlier to get hold of telex boxes with private keys can not turn on their censor filters later and use the old telex boxes to intercept t

      • by SEWilco ( 27983 )

        A different way to look at the assumption is, the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.

        So I can't make a telex node -- some other guy has to do it? And if I can make a telex node, my unfavoritest governments can make thousands of them.

      • by hoggoth ( 414195 )

        > the guys who will be making and maintaining "telex" nodes will not sell them to any Government or ISP that censors the internet.

        That won't work unless they also make it against their Usage Policy for totalitarian governments to use a third-party to purchase a "telex" node. Then it will be safe.

    • The idea is that the ISP providing the service is in a friendly country that hates censorship. They can connect to any website that goes through that ISP to use the Telex service.


  • I remember Telex ads from when I was a kid. Lo and behold, Telex is actually still around. [wikipedia.org]
    • by Nethead ( 1563 )

      Yep, the old 910 NPA.

      • by grub ( 11606 )

        Funny, the Wikipedia article also mentions TOR (Telex-on-Radio in this case).
    • by Matheus ( 586080 )

      That and my first Windows-based dial-up client was called Telex. Trademark Infringement? ;-)

      • by Matheus ( 586080 )

        Mod myself as parent down... My first *DOS*-based Dial-Up client. DOH!

      • by vlm ( 69642 )

        That and my first Windows-based dial-up client was called Telex. Trademark Infringement? ;-)

        No, it was probably called Telix

        http://en.wikipedia.org/wiki/Telix [wikipedia.org]

        If I recall correctly, its primary claim to fame in the 80s was having both a decent zmodem download client built in, and zmodem autostart. Also I liked its phonebook menu, which neatly held all the BBSes I called. And it had a nice redialer.

        It was pretty much the ideal terminal program in the pre-windows era.

        Procomm was about as good, and had a nicer scripting language, but they wanted a huge amount of money for it.

    • by Hartree ( 191324 )

      Digging down into the links on the discussion page of that article:

      Apparently in some countries Telex has a legal status that other communications don't neccesarily have. I'm guessing it's been judged to be evidence of a contract since it is reasonably well authenticated.

      eg: "We sent you a Telex ordering N tons of commodity Y by date X and received a confirmation from you." would be admissible in court as a signed contract.

  • is install magic boxes in the same ISP that is cutting off information

    and add on the fact that telex is a commercial service still in use and there you have it ... effin brilliant scheme guys

    • by glop ( 181086 )

      Not the same ISPs. ANY ISP that is on the traceroute to uncensored websites allowing https.

      And the local ISP won't even know there is anything special with the network traffic as this uses public steganography in encrypted data streams.

      Only somebody who has the private key can know the data are "special". So the only remaining attacks on this are:
      - steal a private key from a trusted organization
      - spoof a private key (Bad people can create the "TRUSTME" service, get people to trust it and spy on them)
      - block

      • Not the same ISPs. ANY ISP that is on the traceroute to uncensored websites allowing https.

        One of the ideas of the Internet is that routing can change at a moment's notice to "route around failures". The traceroute you run now may have a different result than one you ran a minute ago.

        In other words, the packet you send to site A can travel over any route between you and A, and it will not necessarily always go through Telex site B.

        Now, the packets that Telex site B send to Censored site C on your behalf will get through because it doesn't matter what route you used to get to B, B is talking t

  • Proxy-less (Score:5, Insightful)

    by Anonymous Coward on Monday July 18, 2011 @10:43AM (#36800578)

    Okay, so we rename the proxy a "station" and now we can call it proxy-less?

    • by 1s44c ( 552956 )

      No. The names are not important but the difference is that anyone sniffing your traffic can't tell you are communicating with a 'station' at all.

      Read the article, it's quite interesting and pretty short. It's also quite impossible due to cost and cooperation issues.

    • by renoX ( 11677 )

      > Okay, so we rename the proxy a "station" and now we can call it proxy-less?
      They should have named these stations "hidden proxy", because the difference between these "stations" and normal proxys is that users don't have to connect to a proxy IP address as the "Telex ISPs" redirect all the HTTPS connexions requests through these "Telex stations".

      It becomes much more difficult for the censoring government to detect who is trying to escape the censorship..

  • It would be easier to configure a web service which recognized X keyword searches from the same session to convert the session to a port forwarding ssh session to an appropriate proxy.

    ( google search on book, monkey, tuesday, and blue gets you ssh forwarded to privoxy.com, etc. )

    your https connection stays to the main site, & it just forwards the data .

    • by gl4ss ( 559668 )

      isn't this just data masquerading? you'd still see bytes flowing, so how is it better than vpn or whatever?

      • vpn requires local software / possibly alternate ports to initiate.

        Proxies do not require local software, but have central points that can be blocked.

        better method would be to have simple looking sites have "backdoors" that could be used to exit normal mode, and establish new session with hidden services.

    • by AJH16 ( 940784 )

      The difference is that it would not be dependent on the end point site supporting it (in which case the end point site would simply be blocked for supporting it). Instead, it moves the redirect down a level and makes it blend in with a normal HTTPS connection. When it passes over a Telex enabled router, it gets changed out and redirected. The primary problem I see with the system is that all a censor has to do is get the magic box on their own routers and suddenly they can see the traffic and tell where

  • by sverrehu ( 22545 ) on Monday July 18, 2011 @10:45AM (#36800598) Homepage
    "Friendly countries"; like, the USA?
  • What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?

    • by vlm ( 69642 )

      What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?

      The point is to signal that they're noobs hence not to be trusted with sensitive traffic.

      I've got an idea, how about freenet and/or i2p? That might work. With namecoins for domain registration? Naah I'll never get that past the NiH filter.

      My favorite part about freenet and i2p is "recently" at least on headless linux boxes, they could be installed together, but having made the mistake of being implemented in Java, one sort-required a very specific version of the official sun JRE and the other required an

    • by OzPeter ( 195038 )

      What's the point of naming it Telex [wikipedia.org]? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?

      I think that this answers your question (from TFS)

      a scheme that hides the fact that the users is even trying to communicate at all.

    • Re:Telex? (Score:4, Funny)

      by ribuck ( 943217 ) on Monday July 18, 2011 @11:31AM (#36801028)

      What's the point of naming it Telex [wikipedia.org]? ...

      I think you might have missed the point. The freedom-friendly ISP routes the connection across the near-defunct Telex network, and therefore bypasses censorship.

      Of course, the websites you browse only display upper-case characters and EBCDIC Art graphics.

      • What's the point of naming it Telex [wikipedia.org]? ...

        I think you might have missed the point. The freedom-friendly ISP routes the connection across the near-defunct Telex network, and therefore bypasses censorship.

        Of course, the websites you browse only display upper-case characters and EBCDIC Art graphics.

        Arbitrary data can be encapsulated so that it can traverse limited character bottlenecks like this. I believe UUENCODE/UUDECODE does this.

        • Arbitrary data can be encapsulated so that it can traverse limited character bottlenecks like this. I believe UUENCODE/UUDECODE does this.

          And sensitive or private data can be ROT13'd before or after UUENCODEing it (or both, for twice the protection!)

  • I used to send my FX orders to Sydney, Tokyo and Sing by telex. You mean its made a come back? The new stealth: 110 baud!

  • by Anonymous Coward

    I, Anonymous Coward, hereby debut my own, better scheme:

    Each user utilizing this privacy filter simply asks their ISP, government, mail provider, OS manufacturer, neighbor, IT admin, etc. not to track them!

    It's as simple as that!

  • The offending government from loading Telex, harvesting the end points and blocking those?

    • by Dan Ost ( 415913 )

      The government's telex station can't detect the telex communication unless they also happen to have the private key from the intended Telex station.

      This is actually pretty clever, assuming it works. I'm always suspicious of anything that depends on stenography.

  • by countertrolling ( 1585477 ) * on Monday July 18, 2011 @11:00AM (#36800760) Journal

    As state-level censorship continues to grow..

    FTA: Widespread ISP deployment might require incentives from governments.

    Can you see the little flaw in this whole concept yet?

    • by Anonymous Coward

      If there was One World Government, then yes. As it is, governments such as the United States have an interest in foiling the censorship efforts of other governments such as Iran or China. Thus, key state support to circumvent state-level censorship is hardly unreasonable, at least for a fairly large subset of state-level censorship that's out there.

      • So the Chinese would rely on US ISPs to read about Tiananmen Square, and Americans would rely on Chinese ISPs to find streams of sporting events?

    • Other governments, I assume. The Internet is worldwide.

  • by Anonymous Coward

    If you have to have something running which will reroute the packets, isn't that effectively a proxy? This is just a different way of accessing the proxy. Not only that but the proxy needs to be running in the network path for the packet, when the routing isn't even guaranteed to be always the same. Would this even work outside a lab?

  • And I also would like to sell you this bridge I recently acquired in Brooklyn. It's totally not the right time for me to be owning a bridge.

    But seriously, who is going to trust this system? It creates an enormous incentive for intelligence agencies to infiltrate as many major ISPs as they have to in order to capture the traffic and/or compromise the keys--if they haven't already infiltrated the project to parallel develop a compromised version of the product that feeds the keys straight to the CIA so that t

  • Host Request -> some site
    ---other telex site responds
    request dest dns host range ! = remote site range
        **blocked**

    • No HTTPS = no commerce on the interweb.

      Not. Gonna. Happen.
      • by jfengel ( 409917 )

        In the West, certainly not. In China or Iran, however, I could see the government banning encrypted traffic. I'm a bit surprised they haven't already. At the very least, ban HTTPS and replace it with some other cryptosystem to which they hold the keys. It prevents them from foreign logins, but I thought they'd be OK with that.

  • Somehow, I think nesting myself (needle) in a haystack (Tor network) would be safer than routing through set stations. At the end of the day, this sounds like dumbing down the tools we already have so common users can take advantage of them without learning the procedures. I wouldn't normally have a problem with protecting Anonymity, but I think in this case I'm going to say no. ISPs aren't going to bother with this, especially in countries and areas where governments have complete control over such matter
  • Idiotic in all possible ways -- the purpose, the name, the method, the announcement, and the results of application.

  • You're inside of an HTTPS connection and send spooky data that somehow this Telex box can see. How exactly can the Telex box see inside the HTTPS secured connection if the connection is supposed to be secured to this bogus back-end web site that's benign and not aware of the goofy stuff? Is this SSL connection somehow different than a normal one to these web sites and if so would that possibly make it stand out?

  • Crypto nerds are like hippies but without that strong grasp of the realities of this world.

    This "idea" relies on the fact that internet traffic is routed through several places on its way. They idea is that on one of these ways, the traffic will be read and if a magic bit is detected, it will re-route this traffic to somewhere else, making it possible to do a request for google.com with a magic bit set (which I can only presume is some magic bit that won't be bloody obvious for not fitting in the very well

  • by xnpu ( 963139 )

    What an overly complex bogus system. It will require tons of ISP's to cooperate to get this to work. We might as well install an SSL proxy at the border and tell the Chinese the whole world is reachable over the proxy IP only. Take it or leave it.

    Year after year we see all these awesome developments which probably cost a ton but I've never heard of one really taking off. Meanwhile the Chinese are simply using commercial VPN providers or brewing their own on $3/month VPS servers.

  • Imagine...a significant portion of the people trying to avoid monitoring of their online activities getting routed automatically through your very own Telex "station" to your own poisoned 'proxy' service, allowing full monitoring of traffic that the end user thinks is secure...

    Really, there seems to be no way for the end user to verify that the Telex "station" that reroutes their request is legitimate. So instead of using peer-verified, trusted proxies, they cast their dirty laundry out on the interwebs an

  • "Citizen, hand over computer for checking of dissident TELEX client software! Also, you need new door!"

"He don't know me vewy well, DO he?" -- Bugs Bunny

Working...