2011-wustrow-telex
findings extracted from this paper
-
On a single 2.93 GHz Intel Core 2 Duo CPU core, the Telex elliptic-curve tagging scheme achieves approximately 5,482 tag generations per second and 11,074 tag verifications per second across 10 trials of 100,000 tags each (standard deviations of 0.016 s and 0.0083 s respectively). Tag verification is therefore unlikely to be a throughput bottleneck in a deployed Telex station.
-
Telex embeds steganographic tags in TLS ClientHello nonces using elliptic-curve Diffie-Hellman, placing proxy stations at ISP level on paths between the censor's network and popular uncensored destinations. Because the cover destinations are ordinary popular HTTPS websites, the censor cannot block Telex without simultaneously blocking a large class of legitimate TLS traffic — converting the censor's own reluctance to over-block into an unblockability guarantee.
-
A PlanetLab node in Beijing successfully loaded all 100 Alexa top-100 websites through a prototype Telex station at the University of Michigan; without Telex, 17 of the 100 sites were blocked (including facebook.com, youtube.com, blogspot.com, and twitter.com from the top 10), using forged RST packets, false DNS results, and destination IP blackholes. The median latency overhead for routing through Telex was approximately 60% for the 83 unblocked sites.
-
Telex prevents tag replay attacks by seeding the client's TLS key exchange randomness (e.g., the Diffie-Hellman exponent) with the shared secret ksh derived from the steganographic tag. The TLS Finished message must then be freshly encrypted with the newly negotiated master secret, implicitly proving knowledge of ksh. An adversary replaying a captured ClientHello nonce without knowing ksh cannot produce a valid Finished message, causing the server to terminate the connection.
-
The paper identifies two unresolved fingerprinting surfaces: (1) traffic-shape analysis of packet sizes and inter-arrival times could distinguish Telex flows from normal TLS, and (2) the prototype exhibits detectable deviations from real servers at the IP layer (stale IP ID fields), TCP layer (incorrect congestion windows detectable by early acknowledgements), and TLS layer (different compression methods and cipher-suite extensions). Convincingly mimicking a diverse population of TCP/TLS server implementations is flagged as requiring substantial engineering effort.