Telex: Deep Packet Inspection for Good
Tunneling is likewise limited in its scope, as censors are constantly compiling lists of new proxy servers to block. Moreover, it is difficult to broadcast information about proxy servers without alarming/alerting the censors; individuals seeking to evade censorship are likely to come by information of these “tunnels” by means easily accessible to any tech-savvy censor.
Telex’s major development is the absence of any easily identifiable, and therefore blockable, entry site. Users download the Telex application and, when they want to visit a blocked website, utilize the application to establish an HTTPS connection to non-censored sites
First, the user routes their traffic to a site that has a Telex enabled router between it and the user. If Telex is embraced by ISPs within anti-censorship countries, like Germany, the Netherlands or the United States, this means any SSL connection that goes through these websites will become an instant anti-censorship beacon. SSL is commonly used for online banking, commercial transactions, as well as email and other communication mechanisms. To our knowledge at Herdict, no country has permanently blocked all HTTPS sites.
Using the Telex software, the user generates a cryptographic tag to put in the headers of packets to normal SSL sites. Using deep packet inspection, the Telex router finds each tagged packet. Deep packet inspection, which is a method that allows an ISP to see the destination and content of a user’s traffic, is often used for evil, i.e. censorship or filtering. However, in the proposed Telex structure, it’s used for good.
As Timothy B. Lee from Ars Technica writes,
“The system accomplishes this using a clever tweak to the TLS handshake that occurs whenever a browser initiates an encrypted Web connection. One of the steps in that handshake requires the client to choose a random bit string known as a “nonce.” If a client wants Telex to redirect the connection, it uses Telex’s public key to generate a steganographic “tag.” The tag format is carefully chosen so that someone who knows the Telex private key will be able to recognize the tag efficiently—but no one else will be able to distinguish it from a random string.”
The Telex software on the ISP-side (in another country) routes these tagged packets to TOR or a proxy/tunneling site. The end-to-middle proxy scheme cuts down on the lag time and the possibility of a censorship regime blocking proxies.
Telex currently is in its proof of concept phase, so there are technical issues that will have to be resolved. Currently, more testing is needed for Telex connections to mimic the behavior of normal SSL browsing, so that countries can’t detect Telex users. Similarly, Telex only currently supports a single SSL site to access blocked site through, which could also tip off countries that are used to monitoring Internet access.
There are also wider implementation issues. In order for it to be effective, Telex-enabled routers would have to exist upstream of most to all connections in a country. Also, wide spread implementation would probably depend on Western governments mandating usage by ISPs, due to costs and political implications. We look forward to seeing whether Telex can move from proof of concept to reality.
About the Author: Kendra Albert
Kendra Albert is an instructional fellow at the Cyberlaw Clinic.
