Weekly Edition
Return to the Development pageRecent Features
| |||||||||||||
Telex: a new anticensorship system
The Freedom to Tinker site carries an
announcement for Telex, a new approach to the circumvention of
censorship of the net by national governments. "As the connection
travels over the Internet en route to the non-blacklisted site, it passes
through routers at various ISPs in the core of the network. We envision
that some of these ISPs would deploy equipment we call Telex
stations. These devices hold a private key that lets them recognize tagged
connections from Telex clients and decrypt these HTTPS connections. The
stations then divert the connections to anti-censorship services, such as
proxy servers or Tor entry points, which clients can use to access blocked
sites. This creates an encrypted tunnel between the Telex user and Telex
station at the ISP, redirecting connections to any site on the
Internet." There is a proof-of-concept implementation available on
the Telex site.
(Log in to post comments)
Telex: a new anticensorship system Posted Jul 18, 2011 14:22 UTC (Mon) by sturmflut (guest, #38256) [Link]
And what if your own government deploys Telex stations at every ISP in your country, detects incoming connections and just blocks them or pays you a visit?
Telex: a new anticensorship system Posted Jul 18, 2011 14:42 UTC (Mon) by Lev (guest, #41433) [Link]
It uses public-key steganography. So your government can't detect your connections unless: 1) they steal the private key from the foreign ISP; 2) they manage to fool you into using their public key instead of the key from the foreign ISP.
Telex: a new anticensorship system Posted Jul 18, 2011 14:49 UTC (Mon) by sturmflut (guest, #38256) [Link]
Do the Telex developers really think our governments don't have the necessary means for that? How naive.
Telex: a new anticensorship system Posted Jul 18, 2011 14:50 UTC (Mon) by SEJeff (subscriber, #51588) [Link]
Telex: a new anticensorship system Posted Jul 18, 2011 15:39 UTC (Mon) by renox (subscriber, #23785) [Link]
I disagree: Telex seems more interesting than these knee-jerk responses as they try to provides 'stealth' connections, not only encrypted connections.
The $5 wrench only work when the censoring government has some pre-existing reason to suspect that you do something 'not approved'.
Monitoring a list of Tor gateways is easy, but both stealing the private key from the foreign ISP(s) or fooling users into using one of their public keys instead of the key from the foreign ISP(s) are much harder.
So Telex seems interesting, but I wonder what happen when you try to use an HTTPS connection with these 'special' public keys and there is no Telex router in the middle (or one with a different set of associated private keys), they would be error reports from the destination IP address no?
Telex: a new anticensorship system Posted Jul 18, 2011 15:46 UTC (Mon) by renox (subscriber, #23785) [Link]
I correct what I said during the last part of my comment: if there is no Telex router in the path, the HTTPS connection succeed as if it was a normal connection, so it could be really difficult to detect those Telex connection..
And without detection, you don't know who to hit with the $5 wrench!
Telex: a new anticensorship system Posted Jul 18, 2011 15:51 UTC (Mon) by sturmflut (guest, #38256) [Link]
Excuse me, but our governments seem to ALWAYS think that we are doing something 'not approved'. If not, why would they monitor and store our connection data for years?
Governments will just "help each other out" with the keys, and they have a lot of interest in tricking you into accepting some manipulated key. I only believe in end-to-end security, like webservers directly running Tor on the same node and using Tors adress mapping facility instead of DNS. Nobody should ever be able to decrypt any connection in between.
Telex: a new anticensorship system Posted Jul 18, 2011 16:08 UTC (Mon) by renox (subscriber, #23785) [Link]
> Governments will just "help each other out" with the keys
Not necessarily.. For example, it could be in the USA interest to help Chinese dissidents, so they would push ISPs to install these Telex box.
> I only believe in end-to-end security, like webservers directly running Tor[cut]
The connection is secure ok, but it's not *stealthy*, so this does not provide Chinese users (for example) a protection against the $5 wrench!
At a future phone company board meeting... Posted Jul 19, 2011 17:20 UTC (Tue) by dmarti (subscriber, #11625) [Link]
"Before we start discussing the huge PIPE investment we just got from the People's Republic of China, what's 'Telex' doing in the R&D budget?"
Telex: a new anticensorship system Posted Jul 18, 2011 22:30 UTC (Mon) by sturmflut (guest, #38256) [Link]
After reading and thinking a bit more about it:
Only ISPs can install Telex nodes, and to use Telex, you have to make sure your packets go through one of the "correct" Telex nodes (they get to have the matching encryption key). So the Telex nodes have to be quite "close" to the HTTPS site you are supposedly contacting. Once it is known which ISPs installed Telex nodes, the censoring government can just refuse to peer with those netblocks, and Telex traffic will never reach its destination. The Telex authors plan to have Telex nodes near popular websites, but especially those (like YouTube and Google) are usually blocked by censors.
Or even simpler: Just block any HTTPS traffic to servers outside of the country. No self-respecting censor would allow obviously encrypted traffic to foreign destinations anyway. Or one would install an automatic Man-in-the-middle proxy for HTTPS, which completely breaks Telex because the manipulated ClientHello nonce is replaced.
So you can simply break Telex for everybody on the lowest level.
Telex: a new anticensorship system Posted Jul 20, 2011 8:36 UTC (Wed) by renox (subscriber, #23785) [Link]
> Only ISPs can install Telex nodes
I thought about this and wondered if it wouldn't be interesting to also have Telexed website: these becomes proxies like Tor proxies but with the important difference that the censoring government cannot know (without getting the secret keys) whether the users accessing the website are normal user or trying to go around the firewall: logging source IP addresses becomes almost useless.
A *very* important difference for the user!
That said, I agree with you that if the censoring government block HTTPS traffic to servers outside of the country, then Telex is dead.
Telex: a new anticensorship system Posted Jul 20, 2011 20:36 UTC (Wed) by johill (subscriber, #25196) [Link]
Yeah I wondered about this too -- but somehow you're trusting all those Telex nodes with the private key, right? So installing it on websites doesn't scale.
Actually let's go back to the key thing. The "Telex Station" (in the paper) has a private key "r". The "Telex Client" uses the corresponding public key.
The paper says "We leave the details of selecting the server and public key for future work." But that's really the biggest issue here. How does the Client figure out the correct public key? It has to come with at least a seed database, since every method to figure out the key based on public information could be blocked and/or monitored (e.g. if you had DNS-based discovery the "evil government" can replace them in DNS responses and install its own Telex Station to catch people using it).
But if it comes with just a "seed" database, the seed ISPs can simply be blocked to make the system unusable. So you need a bigger database to start with, and probably a way to distribute new databases on every connection. Then, however, the issue will be how you trust that database so it can't be subverted.
Seems like it needs a major amount of work on the key distribution and trust problems.
Telex: a new anticensorship system Posted Jul 21, 2011 7:28 UTC (Thu) by renox (subscriber, #23785) [Link]
For me, the key distribution issue is the same as the distribution of the IP addresses of Tor (for example) proxys:
you use a sneakernet.
And if the information is leaked to the censor, the big difference is that:
Telex: a new anticensorship system Posted Jul 18, 2011 16:38 UTC (Mon) by roblucid (subscriber, #48964) [Link]
"ISPs would deploy equipment we call Telex stations" sounds like the old plans to implement IPv6, where they'll make new long addresses available and do 6to4 as transparent service, long before addresses were scarce.
Telex: a new anticensorship system Posted Jul 18, 2011 18:36 UTC (Mon) by jengelh (subscriber, #33263) [Link]
Someone forgot that Telex already describes a system, albeit a quite outdated one: http://en.wikipedia.org/wiki/Telex
This is part of the plan! Posted Jul 18, 2011 20:06 UTC (Mon) by khim (subscriber, #9252) [Link] And it means dissidents over there can always claim they meant "that other Telex" :-)
Telex: a new anticensorship system Posted Jul 19, 2011 12:20 UTC (Tue) by ballombe (subscriber, #9523) [Link]
Well, TOR is the usual abbreviation of Telex-over-radio, so at least they stay in the same theme.
Telex: a new anticensorship system Posted Jul 18, 2011 20:55 UTC (Mon) by dashesy (subscriber, #74652) [Link]
That is great as long as the very first HTTPS connection has a double functionality, for example if Yahoo or Gmail can be used.
Only in that case, when facing the 5$ wrench the user can claim reading emails all the time :)
Telex: an old teleprinter system Posted Jul 19, 2011 9:04 UTC (Tue) by Seegras (subscriber, #20463) [Link]
Telex: a new anticensorship system Posted Jul 19, 2011 9:21 UTC (Tue) by fergal (subscriber, #602) [Link] Widespread ISP deployment might require incentives from governments.The big companies at the core of the network almost certainly want to keep on the good side of China. They have a disincentive to install Telex nodes.
Telex: a new anticensorship system Posted Jul 19, 2011 10:27 UTC (Tue) by dps (subscriber, #5725) [Link]
There *can* be incentives for not being entirely co-operative. One major UK ISP said they would not just turn over user information, but instead ask to see a search warrant first. This might have been driven by marketing but it definitely a step in the right direction. Before you sign up note that they do not offer non-clear text password pop or imap services and firewall port 25 to anything except their overloaded outgoing SMTP servers. This seriously reduces privacy.
I can't see why china's great firewall can't just block access to any Telex system outside china, just like dubious sites like www.bbc.co.uk. Anybody mad enough to set up a node in china can be dealt with by other means. Tor probably can't just be blocked because embassies and diplomats probably need it.
Telex: a new anticensorship system Posted Jul 19, 2011 11:36 UTC (Tue) by fergal (subscriber, #602) [Link]
But it's not really about your local ISP, it's about the companies that are at the centre of the internet. These are multinationals who have a presence all over the world. They don't want to lock themselves out of a big market for a political principle.
Telex: a new anticensorship system Posted Jul 19, 2011 12:43 UTC (Tue) by dps (subscriber, #5725) [Link]
I think the company in question is a the UK telephone arm of a very large operation---it definitely is not a mom and pop operation. I suspect they do have business orientated products with more bandwidth, fewer limits and less fascist firewall settings.
The idea that pipex et al will install Telex modes is moonshine. Many of these companies provide unfiltered bandwidth and any filtering is your responsibility. Some of them might sell you content delivery services too but neither storage nor delivery is free. The associated hardware is $$$$$$$$$.
Somehow for Telex to work I can't see any support for billing.
|
|||||||||||||