New system could make censorship of Internet sites virtually impossible
Chinese citizens could once again enjoy LOL Cats on YouTube - as well as content critical of the communist government - if a new system developed by researchers at the University of Michigan (U-M) and the University of Waterloo (UW) in Canada were implemented. The researchers claim the system, called Telex, would thwart Internet censorship and make it virtually impossible for a censoring government to block individual sites by essentially turning the entire web into a proxy server.
While those looking to circumvent site blocks can currently route requests through a proxy server that acts as an intermediary from clients seeking to connect with blocked servers, censors are able to monitor the content of traffic on the whole network so they are able to eventually find and block the proxy too.
"It creates a kind of cat and mouse game," said J. Alex Halderman, assistant professor of computer science and engineering at U-M who was explaining this to his computer and network security class when he first hit upon the idea of tackling the problem in a different way.
The system he developed with his colleagues would first require users to install Telex software on their computer that Halderman says could be downloaded from an intermittently available website or borrowed from friends. ISPs outside the censoring nation would also need to deploy equipment called Telex stations.
When a user wanted to visit a blacklisted site, they would establish a secure connection to any HTTPS password-protected website that isn't blocked. This connection acts as a decoy and the Telex software marks it as a Telex request by inserting a secret-coded tag into the page headers. This tag utilizes a cryptographic technique called "public-key steganography."
"Steganography is hiding the fact that you're sending a message at all," Halderman said. "We're able to hide it in the cryptographic protocol so that you can't even tell that the message is there."
The user's request would then pass through routers at various ISPs, some of which would be Telex stations that would hold a private key that lets them recognize tagged connections from Telex clients. The stations would then divert the connections so that the user could get to any site on the Internet. Because the requests would need to pass through these Telex stations, the system would require large segments of the Internet, in the form of participating ISPs, to be involved.
"It would likely require support from nations that are friendly to the cause of a free and open Internet," Halderman said. "The problem with any one company doing this, for example, is they become a target. It's a collective action problem. You want to do it on a wide scale that makes connecting to the Internet almost an all or nothing proposition for the repressive state."
The researchers say they are the proof of concept stage and have developed software for researchers to experiment with. They've also put up a Telex station on a mock ISP in their lab and have been using it for daily browsing for the past four months. They've also tested it with a client in Beijing who was able to stream videos from YouTube even though the site is blocked there.
"This has the potential to shift the arms race regarding censorship to be in favor of free and open communication," said Halderman. "The Internet has the ability to catalyze change by empowering people through information and communication services. Repressive governments have responded by aggressively filtering it. If we can find ways to keep those channels open, we can give more people the ability to take part in free speech and access to information."
The U-M and UW researchers will present their paper on Telex at the USENIX Security Symposium in San Francisco on August 12.
Please keep comments to less than 150 words. No abusive material or spam will be published.
Firstly, clients (browser) don\'t send pages, they retrieve them from the server. The server certainly isn\'t going to insert a tag.
I could believe the client could include a request header. However, to include a request header over an SSL connection, would require these \"telex\" machines to be able to see the unencrypted data. This suffers from the same problem any proxy finds when snooping on SSL, including having to on-the-fly generate spoofed certificates (that are trusted by the client) to mimic the real site\'s certificate. At best there will be countless certificate warnings for clients, but I guess that\'s no big issue.
What is more likely, is that the client overloads something into the SSL/TLS negotiation protocol, before any crypto is even set up.
Keep in mind that any intermediate keeping track of this exchange needs to be in the middle of both forward and reverse routing paths. Something that\'s not actually that common on the internet backbones. Packets from A->B commonly traverse different routes than B->A, so this won\'t work in those cases.
As for the claim of making it impossible to censor. That\'s patently incorrect. Using the same techniques, such ploys could be observed and blocked (and worse).
Citizens of obviously repressive states will of course have strong tools for change with an internet that is impossible to censor. That alone is enough reason to want it. In addition I do not trust that no other institutions, like seemingly \"free countries\" might want to try their influence, which, even if it was to be in good will, is a wrong thing to do.
There is of course lots of bad stuff on the net that I would prefer was not there, but the same is the case, in varying degrees, no matter where in society you look. Cleaning up one arena, if that was possible, only would create a false sense of security. Protection against bad stuff cannot be achieved by filtering the World. It must be achieved by learning to cope and trying to change the World into something better. Censorship of information makes nothing better, no matter what the intention is.
There is and will be a legitimate need to offer some controls and restraints over what systems are able to connect to what sites. There will need to be some extra thought put in so sites can securely self identify and it can be electronically determined if access is acceptable.
So this is great technologically but in the near future, considering the direction we\'ve been moving in, this won\'t be as helpful as the article title and image made it seem to me at first.