Telex - A Radical New Approach to Bypass Security

Published: 2011-08-14
Last Updated: 2011-08-14 22:59:18 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

This radical new process was presented at the USENIX Security Symposium last Friday and according to its authors has the potential to turn the entire web into a giant proxy server. "Telex is markedly different from past anticensorship systems, making it easy to distribute and very difficult to detect and block."[1]

This is still a concept rather than a full production system but so far the tests conducted with proof-of-concept software by the researchers had encouraging results. According to the Telex website, "The client secretly marks the connection as a Telex request by inserting a cryptographic tag into the headers. We construct this tag using a mechanism called public-key steganography. This means anyone can tag a connection using only publicly available information, but only the Telex service (using a private key) can recognize that a connection has been tagged."[1]

In order for Telex client to reach a blocklisted site, it needs to use a ISP Telex station that holds a private key that recognize the client Telex connections, decrypt the data and divert the connection to an anti-censorship service such as proxy servers or Tor to access the blocked site. The end result is an encrypted tunnel between the Telex client and an ISP station reaching any sites on the Internet.

A paper published by computer science researchers at The University of Michigan and Waterloo is available here. For updates, source code and an online demonstration, visit their website.[2]

If Telex works as advertized, it has the potential of bypassing current technologies deployed in an organization. How can we prevent a client from accessing this friendly ISP station? Application whitelisting might work, another option might be finding and blocking "friendly ISP" but seems like an impractical proposition. What else do you think could be done to prevent a Telex client from leaving a corporate network to access a Telex ISP station?



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


Keywords: Proxy Telex
3 comment(s)


It looks like this requires at least one confederate ISP along the route in order to work. This is something that can't work without an initial higher level of participation than, for example, TOR. If they can get the support, then I suppose it will work. Also, I wonder if a government run ISP that becomes a Telex node would be able to somehow break the solution.

As far as protecting our own networks from this sort of thing, we just have to keep tabs on what software is installed and run on our end user systems using current technologies.
Reading the website and skimming the FAQ, it seems like in order to tag the connection the clienthello nonce is used by substituting an encrypted value instead of a random value. So it seems like (at first glance) you aught to be able to do something with a ssl proxy to sanitize the nonces before they go out.
I would think that if a censoring agency has white-listed a site, they would have really good activity metrics and it would be a relatively straightforward process of identifying connections that fall outside the norms...

It is a clever idea and tech companies looking towards China could see it as an inexpensive way of circumventing government censorship. Google, Microsoft, Yahoo, etc. could all quietly sponsor a handful of these Telex Stations and jump start the project.

Diary Archives