As state-level censorship continues to grow in various countries around the globe in response to political dissent and social change, researchers have begun looking for news ways to help Web users get around these restrictions. Now, a group of university researchers has developed an experimental system called Telex that replaces the typical proxy architecture with a scheme that hides the fact that the users is even trying to communicate at all.

The Telex system is the work of J. Alex Halderman and two other researchers at the University of Michigan, and Ian Goldberg of the University of Waterloo, and it has a couple of fundamental differences from other anti-censorship or anonymity tools such as Tor or proxy networks. The key innovation in Telex is that it uses “stations” installed at ISPs to recognize and reroute specially tagged requests from clients trying to reach censored sites.

Those requests also are completely hidden from censors because it is part of an established HTTPS connection to a benign site that the censor or government allows. That connection is used as a red herring to prevent the censor from even seeing the other connection request. Each user would have a copy of the Telex client on his or her machine, which would generate the requests and insert the secret tags in them.

“The client secretly marks the connection as a Telex request by
inserting a cryptographic tag into the headers. We construct this tag
using a mechanism called public-key steganography. This means anyone can
tag a connection using only publicly available information, but only
the Telex service (using a private key) can recognize that a connection
has been tagged,” Halderman, an assistant professor at Michigan, wrote in a blog post announcing Telex.

“As the connection travels over the Internet en route to the
non-blacklisted site, it passes through routers at various ISPs in the
core of the network. We envision that some of these ISPs would deploy
equipment we call Telex stations. These devices hold a private key that
lets them recognize tagged connections from Telex clients and decrypt
these HTTPS connections. The stations then divert the connections to
anti­censorship services, such as proxy servers or Tor entry points,
which clients can use to access blocked sites. This creates an
encrypted tunnel between the Telex user and Telex station at the ISP,
redirecting connections to any site on the Internet.”

Governments and other orgnaizations interested in censoring the sites that their users can access have become quite adept at detecting circumvention methods and finding the addresses of the proxy servers that other anonymity systems use, making it difficult–and in some cases, dangerous–for people to use them. Telex is designed to help alleviate this problem by using proxy servers that for all intents and purposes don’t have public IP addresses that are discoverable by outsiders.

“The kernel of the idea was to do something in the middle of the network,” Halderman said in an interview. “Working out how to do it with the ISPs is one of the hard parts. It was an idea that had a lot of contours that needed to be thought out and fleshed out because it is so different from the existing proxy-based tools out there.”

Goldberg, of the University of Waterloo in Canada, is the former chief scientist at Zero-Knowledge Systems, creators of the pioneering privacy and anonymity system, Freedom.

The Telex system is in the experimental stage, but Halderman wrote that he and his fellow researchers have been using it via a Telex station in their lab for a few months now and it’s worked as designed. The researchers, who also include Halderman’s graduate students Eric Wustrow and Scott Wolchok, plan to present their research on Telex at Usenix Security 2011 next month.

Categories: Cryptography

Comments (20)

  1. Anonymous

    Wouldn’t the ISP then still have a log of where the client visited?  This is still insecure, as ISP’s are regularly forced to reveal traffic.  Furthermore, what ISP in a hostile government would want or seek additional risk to themselves?

  2. Anonymous

    The problem is real and the premise that you don’t even want them to know you are trying to make a secret communication is absolutely critical.  How many people in China are slaughtered year over year for such things?  With 1,000+ mobile death vehicles produced per year, obviously a hell of a lot of people (in China).

    But you also need to hide the local client application.  It’s better there were no persistent client application.  Why not use a javascript client that disposes of itself?  Stenographic methods are obviously key toward hiding that a communication has occured.  Open cryptography is a lure to zero them in on you.  Basically, one might use a compression technique to specify a message with extracted components from a mix of web pages from a single google search term.  I would always provide separate messages to each individual–except when testing the trustworthiness of the receiving agent or using it as a lure to find those seeking you out.

  3. Anonymous

    What is to prevent an agency desirous of discovering people who use Telex from setting up Telex on their own serves and quickly identifiying the users?

  4. wiedzmin

    Correction – this isn’t “proxyless”, this fits a definition of “end-to-middle proxying”, which is still proxying just not in its most widespread definition of it.

  5. Anonymous

    So you expect non-blacklisted sites to install software on their back-end to support this encrypted tor-like anonymous service?  Good luck with that.  Even if you manage to do this, you still have to deal with the fact that these non-blacklisted sites will soon quickly get blacklisted as well for providing a proxy service to blacklisted sites.

  6. Anonymous

    Be prepared for China and other countries to do a North Korea and go to a complete “walled garden” setup where ONLY specifically-whitelisted sites can be reached.


  7. Eric Wustrow

    The title of this post is incorrect – Telex is a proxy, and it does not provide anonymity. Rather, Telex is an anticensorship proxy.

  8. Anonymous

    Anonymous: What is to prevent an agency desirous of discovering people who
    use Telex from setting up Telex on their own serves and quickly
    identifiying the users?

    Didier: The Telex station does not have to be in the country where the
    user is located and therefore it could be out of reach for the
    government of that user.

    But Chinese authorities could easily set up their own “fake” ISPs in whatever country they want and start intercepting traffic. That and the telltale client software make it a no go.

  9. Anonymous

    This is a bit useless as it stands and doesn’t even really seem to be new technology. Our firewall can do SSL proxy. Put it at the ISP and call it a Telex and whats the difference.

    I agree with the above users that once the hostile country gets a hold of the software it becomes obsolete and jeopardizes all of the users. I’ve though about it for a while and there has to be something unique to the client for this to work. some kind of private key there as well that corresponds to a key on the telex. Then, an alogorythim needs to be embedded in the server and client that rotates key pairs on a per client basis. It’s a lot more storage and processing but it safe unless the hostile country just barges over and invades the ISP.

  10. Anonymous

    Actually thinking further…this only works for a single server implementation. The difference is the rotating keys on the server…but if all server have the same rotating key it is still “circumventable”. I don’t even know if it is possible, but the telex system would need to identify its traffic and then a network of of telex devices would have to be built all with their own keys/algs and secure communication chanels between them so that the telex client is redirected to the telex server that built that particular client ad has the matching private. That way no two “Telex” will ever have the same private key and if your local telex goes down you can just get a client from another.

    Maybe we should just take a more direct route toward stopping global oppression?


  11. Anonymous

    In iran, the government has decided to categorize all encrypted connections to legal and illegal ones. So all sorts of anti-censor softwares like this will not work unless their connections feet in legal (white-list) part.

Comments are closed.