
Anticensorship in the Internet's Infrastructure  - wglb
https://freedom-to-tinker.com/blog/jhalderm/anticensorship-internets-infrastructure
======
lifeisstillgood
Is it just me or does this smack of security by obscurity - as long as the
great firewall of China/Iran/Whomever does not recognise the packets are
hiding the real destination in their headers, then they will let the packets
pass and anonymous surfing can continue.

But somehow the telex station does, without initially decrypting every packet.
So I guess the arms race will be a short one as whatever telex uses as a
decrypt me signal will be replicated.

Unfortunately, and rather ironically, my client's proxy is blocking telex.cc
so I cannot read any details on the steganography.

~~~
Kliment
From telex.cc:

How does the client tag connections?

When establishing a normal HTTPS connection, the client sends a random number
(called the ClientHello nonce). To create a Telex connection, the client
replaces this number with what we call a tag — essentially, an encrypted value
that looks random until it's decrypted. Decrypting Telex tags requires a
private key contained in Telex stations. Since the censor doesn't have this
key, it can't tell the difference between tags and the random numbers used in
normal connections.

In addition to marking connections that are requests for anticensorship
service, Telex tags convey information that allows Telex stations to decrypt
the secure HTTPS connection that the client establishes with the non-
blacklisted destination website. This lets the Telex station replace the
contents of the connection with data from a blacklisted site.

------
xtacy
Interesting idea. The approach assumes that the only way governments censor is
by inspecting destination IP addresses (or DNS, etc.), which may be true for
some countries, but not others. If the censoring government were to operate a
huge TLS proxy, then I can imagine an ISP doing a Telex-stripping attack that
downgrades the tagged-TLS connection to a normal one. I think this can be
detected...

~~~
Kliment
The whole ides of it is that it looks indistinguishable from a normal https
connection. You could perhaps detect it by requesting the same page yourself,
and comparing the size of the data, but with things like sessions and dynamic
content this too would fail.

