Tearing Down China's Great Firewall

quadsoft writes to tell us The Toronto Star has a look at three University Toronto computer geeks who are working hard to circumvent the internet censorship problems like those found in China. From the article: "But the computer smarts of Ron Deibert, Nart Villeneuve, and Michael Hull, combined with their passion for politics and free expression, have led them to develop a highly anticipated software program that allows Internet users inside China and other countries, such as Iran, Saudi Arabia and Burma, to get around repressive censorship and not get caught."

Tor, sponsored by the EFF anybody?

[dbarclay10]

One link: http://tor.eff.org/

I found http://www.third-bit.com/2004-fall/psiphon_ae.html and it doesn't describe something that's even as good as a plain old Squid proxy. Tor appears to be far, far, far safer.

(I live in Toronto. I want to go find these guys and slap them.)

Re:Article full of holes

[TubeSteak]

Like you, I thought they were either talking out their ass, or the reporter misunderstood. A quick Google search remedied that confusion.

An elegant wrinkle is that the data will enter users' machines through computer port 443. Relied on for the secure transfer of data, this port is the one through which reams of financial data stream constantly around the world.

"Unless a country wanted to cut off all connections for any financial transactions they wouldn't be able to cut off these transmissions," said Professor Ronald Deibert, the director of Citizen Lab.

So it runs over SSL. The author kinda mentions that earlier on.

They talk about "routers" and "nodes" and "secure socket layers" like they were saying, "Hello," or "How are you?"

Maybe TFA's author is too much of an idiot to understand WTF they were talking about, so they dumbed it down for him.

This sounds utterly stupid

This software will require a client installed on each Chinese desktop? The existance of such a client will be against Chinese law and make you liable for fines, prison, beatings, etc. Another simple method for the Chinese Firewall staff is to simply setup their own proxy server, catch any IP address that connects from China and send the police around. If its an individual put them in prison, if its a company close the company, commandeer all the companies equipment and imprison the owners. There is no way this can work on a large scale.

Re:This sounds utterly stupid (NOT)

[JumperCable]

TFA says that this does not require a local client install.

However since they are using encrypted traffic, I suspect their biggest threat would be identification of suspicious or unusual Internet traffic patterns. A Wi-Fi connection to an unsecured router could solve that problem.

The other concern would be government officials checking out the proxy server and determining it's purpose. Since the approach is to send the server information to friends/family, one could set the server to only connect to certain MAC addresses, or add a hidden login feature amidst a misrepresentative website/server. At that point, they have to either catch you running it, or intercept the connection information.

Re:nice

[sholden]

I have lots of emails written in Farsi from and to Iran sitting on my US based mail server. None of them has been censored. And since phone calls are also made to and from Iran it's not like they've been censored with no one noticing.

Sure the phone calls probably get listened in on, but nothing is getting censored.

Re:Sure, because it's different things

[The+MAZZTer]

That's not how public/private key cryptography works. If it did, any script kiddie could grab the private key in transmission.

The reason the private key is called so is becasuse it is never transmitted. It stays on the machine that came up with it.

Here's how it works, and we can assume both machines do the same thing for each other. One comp comes up with a private key and public key pair, where things encrypted with the public key can only be decrypted with the private key (and not with the public). Then, the machine can send the public key plaintext (or with some other form of encryption, which we can assume can be cracked much easier than the key pair cryptosystem we're using for the bulk of the data). The receiving machine uses the public key to encrypt it's data and sends the encrypted data.

Now if we assume any transmitted data can be evesdropped upon, the hacker has our public encryption key and the encrypted data... but he doesn't have the private encryption key! The data is useless to him! (Unless the key pair is weak, the data is weak, or the hacker has the hardware to brute force keys, but we'll assume the users are smart enough to avoid the first two and the cryptosystem uses a long enough key to make the last one futile.) The first computer gets the encrypted data and decrypts it with the private key.

A similar process, reversed, is used in certificates. They are encrypted with a private key, and the public key is made available. Assuming sufficient mechanisms are in place to assure that the public key does in fact belong to the original computer, any message decryptable with the public key shows that the message must have originated from the only legitimate computer with the private key.

Nitpick of the nitpick

[Paul+Crowley]

I think you're blowing up a terminological inexactitude into more than it is. They used "private key" where they meant "shared symmetric secret key".

Also you shouldn't refer to signing and verification as "encryption" and "decryption" because they're semantically very different things. Both RSA encryption and RSA verification use the RSA public-key operation, but to be secure they must also use padding and the padding system for an encryption scheme will be different than that for a signature scheme. It's also bad to use the same key as an encryption and as a signing key.

As a last nitpick, AFAIK there are no PK systems for which brute force is the most effective attack. If such a scheme existed it could use really short keys, like the 128-bit keys used in symmetric cryptosystems. Every PK system I know of uses keys at least twice that length.

Huh?

"Occam's razor."

WTF? What does that have to do with this? Oh, right it doesn't.

"In this particular instance, we don't even need evidence..."

Ok, I get it now, you're an idiot troll. What a stupid thing to post.

Re:True but...

[Antique+Geekmeister]

No, encrypted communications do *NOT* look like just random bits. There are a few popular forms of encrypted communications on the Internet, such as SSH and HTTPS. Those have very specific formats indeed, and are easily identifiable to even a remotely intelligent traffic monitor. Encrypted email is even more identifiable: it's still email, it's still port 25 from one Mail Transfer Agent to another. Making the encrypted traffic look like something harmless is a while different layer of complexity, and gets into steganography, which is a whole different art form.

Re:nice

[raju1kabir]

Occam's razor. In this particular instance, we don't even need evidence of mising or altered emails to suspect that email from Iran/Iraq (and a lot of other places), is being censored. It would be most odd of those emails *weren't* being censored

Occam's Razor is not on your side here. Actively censoring email messages is a fairly blatant step which is easily detected. If it were happening, the word would be out.

Additionally, as someone who from time to time works on projects involving Iraq and Iran ("and a lot of other places") - including firsthand experience connecting to the internet, sending my own email messages, etc - I can assure you that I have never experienced any such thing nor have any of my colleagues. If this were so obvious and widespread as you imply, surely someone would have encountered it at some point.