'Telex' system avoids censorship, say researchers

'Telex' system avoids censorship, say researchers

Summary: Technology designed to smuggle requests for access to anticensorship services out of countries that censor content has been announced by researchers.'Telex' appears to create an encrypted tunnel to a sanctioned site, but uses public-key steganography to mark packets as Telex communications, US-based researchers announced on Monday.

SHARE:
TOPICS: Security
1

Technology designed to smuggle requests for access to anticensorship services out of countries that censor content has been announced by researchers.

'Telex' appears to create an encrypted tunnel to a sanctioned site, but uses public-key steganography to mark packets as Telex communications, US-based researchers announced on Monday.

"The client secretly marks the connection as a Telex request by inserting a cryptographic tag into the headers," said University of Michigan researcher J Alex Halderman in a blog post. "We construct this tag using a mechanism called public-key steganography. This means anyone can tag a connection using only publicly available information, but only the Telex service (using a private key) can recognize that a connection has been tagged."

The technology requires sympathetic internet service providers to set up 'Telex stations' to monitor communications and redirect Telex-marked packets from sanctioned sites to anticensorship services such as proxies, or The Onion Router (Tor).

Once communications have been redirected, users can access content while appearing to be connected to the sanctioned site, using HTTPS.

Update 21-7-11 One of the researchers involved in the project, Eric Wustrow, responded to a series of email questions on Wednesday.

Q. What's to stop monitoring of Telex communications by the countries where ISPs have Telex stations?

A: Normally, Telex stations can see both the source and destination of telex connections they proxy for. This means if you use Telex to access google.com, the Telex station will learn your IP address, and that you tried to access google.com. However, it is possible to use Tor, an existing anonymity-providing proxy ( https://www.torproject.org ), over a Telex connection. That way, the Telex station would only learn that you are using Tor, and not your ultimate destination.

Q. What's to stop repressive states from using ISPs in the country to advertise themselves as Telex stations? How can you keep a private key that has been divulged to certain ISPs private?

A. While a censor could certainly run their own Telex station, it is unlikely they would be able to obtain the required private key that would allow them to detect, decrypt, and block tagged connections. We discuss how to keep a shared private key secret on our Q&A page ( https://telex.cc/qa.html#private-key ). The short answer is that either a single entity ("Telex authority") needs to be responsible for only giving the private key to trusted Telex stations, or a Public Key Infrastructure (PKI) could be used to allow each station to generate their own private key.

Q. Surely any deep packet inspection has to compromise privacy to a certain extent?

A. ISPs already have the capability and technology to do deep packet inspection (DPI) on traffic that passes over them. Often times, ISPs will use DPI to help censor or block certain content. What Telex provides is a way to use DPI to promote anitcensorship. There are some potential privacy concerns for Telex users, but again, using Telex to access Tor can help solve these issues. For non-Telex connections (i.e. normal HTTPS), running a Telex station at an ISP does not give the ISP any more information about those connections than it would have without a Telex station.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Packet watermarks, deep packet inspection, QoS

    Marking packets (headers &/or the packet content) to authenticate & ensure data integrity as well as policy relating to packet flow and data streams is not new (even for this 2011 article). The "signatures" under current DPI are easily construed as "packet watermarks" and even the data to process pattern matching, content analysis/recognition, on the flow with existing "signatures" (&/or policy). To prevent labeling fraud, pedetermined watermarks or even (for exchanges & others to build better heuristics & recognition) use of the encoding information (incl any "keys" or "credentials" used) could speed analysis. Router folk refused to incorporate policy until Government pushed and privacy protections weakened under ToS from "social media", "ISP", etc. That the industry developed in parallel with approaches to provide context to packet flow (eg meta-data, related flows, non-static analysis of packet flow) is equally measured by the poor explanation of actual DPI product and service reach. Not everyone wants to pay subscriptions to maintain other people's "policy"/"signature" databases. Bloom filters, self-similar comparators, and the like only go so far. Then again, not everyone will embrace more peering either.
    digitalshamen