DEFENSES
telex Telex
Original decoy-routing scheme; subsumed by Refraction Networking.
1 paper on file
17 findings tagged here
-
For Iran, a greedy cumulative-coverage analysis over 22,799 resolver-to-uncensored-AS paths shows that the top 5 ASes cover 59% and the top 10 ASes cover 76.6% of all DNS resolution paths. AS3257 (GTT Communications) and AS174 (Cogent Communications) each appear in approximately 15.7% of paths and contribute nearly all their usage as unique (non-overlapping) paths.
-
Prior decoy routing deployments suffered severe throughput degradation: the TapDance ISP pilot reported average client throughput of only ~5 KB/s, making it unsuitable for most web content; other DR prototypes restricted evaluation to files under 1 MB in controlled lab settings, with some reporting over 30 seconds to load home pages under 1.5 MB in size.
-
Between 80% and 90% of internet routes are asymmetric, with only about 10% of flows symmetric in Tier-1 (backbone) networks and roughly 70% symmetric at the network edge. This asymmetry makes decoy routing systems requiring relay stations on both upstream and downstream paths impractical for the majority of real-world deployments.
-
Router-level mapping of the 30 key ASes reveals that 11,709 individual routers must be replaced with Decoy Routers (non-censorious ASes only), at a hardware cost exceeding $10.3 billion USD. Individual large ASes require hundreds to over 1,600 router replacements (e.g., AS3356 needs 576, AS209 Quest Communications needs 1,662). Even targeting the weakest adversary studied, Syria (containable by 3 ASes at AS level), requires 1,117 DRs.
-
Through Internet-scale BGP simulation against China, downstream-only decoy routing (Waterfall) with a single decoy AS provides equivalent resistance to routing attacks as a traditional upstream decoy system (e.g., Telex) with 53 decoy ASes. This efficiency gain arises because censoring ISPs can selectively re-route upstream traffic per destination but must re-route all or none of downstream traffic through each provider AS, making downstream-only routing far more expensive to evade.
-
Table 1 shows Slitheen is the first decoy routing system to simultaneously defend against latency analysis, website fingerprinting, and protocol fingerprinting attacks, while also resisting TCP replay and Crazy Ivan active attacks. This security is achieved at the cost of requiring symmetric flows and inline blocking—requirements previously considered prohibitive—which the authors argue are increasingly met by commercial DPI traffic-shaping appliances (e.g., Sandvine) already deployed by ISPs.
-
Asymmetric IP routing is a fundamental constraint on prior E2M designs: tier-2 ISPs typically see around 25% of packets on asymmetric paths, while tier-1 ISPs can have up to 90% of packets on asymmetric flows. Because Telex requires observing both directions of a connection to derive the client-server TLS master secret, this asymmetry severely constrains where it can be deployed. TapDance resolves this by using chosen-ciphertext steganography to leak the master secret from client to station in a single upstream packet, making it functional under fully asymmetric routing.
-
All three prior end-to-middle (E2M) schemes — Telex, Cirripede, and Decoy Routing — require an inline flow-blocking component at the participating ISP, which adds latency, introduces a single point of failure, and may violate carrier SLAs. In private discussions with ISPs, the authors found that despite willingness to assist Internet freedom technically and financially, none were willing to deploy existing E2M technologies due to these operational impacts. TapDance removes the inline blocking requirement entirely, requiring only a passive tap and packet-injection capability.
-
Replacing Telex's original stego-tagging with the IBST scheme and using time periods as identities achieves eventual forward security with arbitrarily short rotation intervals. The key material a client needs after a master-key rotation is only the new master public key — 'a few hundred bytes' — small enough to fit in covert channels such as steganographic images, avoiding the original Telex design's problem of large bundled key sets expiring before a client updates its software.
-
The paper proves that immediate forward security is impossible for Telex-like decoy-routing systems. The Telex station must decide whether to treat a connection as a Telex request after the first client message, using only received messages and its long-term key — an eavesdropper who stores all network traffic can replay the station's entire view once it compromises the station's long-term key, retroactively decrypting all sessions.
-
A warden can fingerprint the specific covert destination a Telex user is visiting by comparing observed latency distributions against a pre-built database of covert-destination latencies. With an intelligently filtered database of only 10 distributions (K-S inter-entry threshold 0.8), the AUC is 0.868, and with approximately 12 collected samples the false positive rate drops below 10%. Larger databases (size 50) degrade to AUC 0.537 due to distribution similarity, but threshold-based filtering restores substantial discriminative power.
-
A passive timing attack using the Kolmogorov-Smirnov test on connection latency distributions reliably distinguishes Telex users from honest hosts: K-S scores against the overt destination max out at 0.26, while scores against covert destinations (even those within 10 ms of the Telex station) range from 0.3–1.0 with a median of 0.7 for nearby servers and 1.0 for Alexa top-100 sites. The attack is effective even for clients 50–250 ms from the Telex station, with no K-S score below 0.26 observed across 40 PlanetLab hosts.
-
On a single 2.93 GHz Intel Core 2 Duo CPU core, the Telex elliptic-curve tagging scheme achieves approximately 5,482 tag generations per second and 11,074 tag verifications per second across 10 trials of 100,000 tags each (standard deviations of 0.016 s and 0.0083 s respectively). Tag verification is therefore unlikely to be a throughput bottleneck in a deployed Telex station.
-
Telex embeds steganographic tags in TLS ClientHello nonces using elliptic-curve Diffie-Hellman, placing proxy stations at ISP level on paths between the censor's network and popular uncensored destinations. Because the cover destinations are ordinary popular HTTPS websites, the censor cannot block Telex without simultaneously blocking a large class of legitimate TLS traffic — converting the censor's own reluctance to over-block into an unblockability guarantee.
-
A PlanetLab node in Beijing successfully loaded all 100 Alexa top-100 websites through a prototype Telex station at the University of Michigan; without Telex, 17 of the 100 sites were blocked (including facebook.com, youtube.com, blogspot.com, and twitter.com from the top 10), using forged RST packets, false DNS results, and destination IP blackholes. The median latency overhead for routing through Telex was approximately 60% for the 83 unblocked sites.
-
Telex prevents tag replay attacks by seeding the client's TLS key exchange randomness (e.g., the Diffie-Hellman exponent) with the shared secret ksh derived from the steganographic tag. The TLS Finished message must then be freshly encrypted with the newly negotiated master secret, implicitly proving knowledge of ksh. An adversary replaying a captured ClientHello nonce without knowing ksh cannot produce a valid Finished message, causing the server to terminate the connection.
-
The paper identifies two unresolved fingerprinting surfaces: (1) traffic-shape analysis of packet sizes and inter-arrival times could distinguish Telex flows from normal TLS, and (2) the prototype exhibits detectable deviations from real servers at the IP layer (stale IP ID fields), TCP layer (incorrect congestion windows detectable by early acknowledgements), and TLS layer (different compression methods and cipher-suite extensions). Convincingly mimicking a diverse population of TCP/TLS server implementations is flagged as requiring substantial engineering effort.