[daten]

My concerns:

* "proxy-less" is a bad term, it sounds like they're still using a proxy, it's just using https encapsulation along the way to hide this from the first few hops.

* The participating entry-nodes (proxies?) could be systematically determined with a scanner for future blacklisting or investigation by someone trying to stop this circumvention of censorship.

* You have to trust the people running the entry nodes, if they have the key to decrypt your traffic. This sounds like a design that governments can use for monitoring.

[_cbsz]

(I am one of the authors on the Telex paper.)

> * The participating entry-nodes (proxies?) could be systematically determined with a scanner for future blacklisting or investigation by someone trying to stop this circumvention of censorship.

The "entry nodes" are positioned at ISPs outside the censoring country. By assumption, they are on-path from the censor's network to popular Internet destinations that the censor has left untouched.

> * You have to trust the people running the entry nodes, if they have the key to decrypt your traffic. This sounds like a design that governments can use for monitoring.

This came up in our discussions pre-release, and we think it's an interesting feature of Telex. You're effectively able to select which government's Internet policy you'd like to live under.

[pmjordan]

The participating entry-nodes (proxies?) could be systematically determined with a scanner

How, exactly? Measuring the run-time of packets and comparing to the expected run-time? I suspect this could be masked by the proxy, but I'm not sure.

You have to trust the people running the entry nodes

You can encrypt the payload independently and then re-encrypt it for the HTTPS tunnel. But as with any proxy, they know the ultimate destination for your traffic, even if they can't get at the data itself.

[daten]

If your path requires a participating station for the proxy-connection to succeed, just measure successful and unsuccessful proxy-connections against different network paths and logically determine which paths have participating nodes and which don't. Compare the results and expand your search until you narrow down which hops in your path are required for a success.