Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Haystack Q&A

Behdad Esfahbod behdad at
Thu Sep 2 09:50:35 PDT 2010

And if people haven't seen it yet, here is Evengy Morozov's take on Haystack:


On 08/30/10 18:36, Steve Weis wrote:
> Hello. I have been following Haystack a bit and subscribed to
> liberationtech to see this response. My interest is as a cryptographer
> and security engineer. I requested technical information about
> Haystack and was declined. At this point, I have seen no meaningful
> details nor know of any other researchers or security professionals
> who vouch for it.
> I have read two justifications why the client software is being kept
> secret. The first is that publishing the client would reveal their
> methods of circumventing filters. The second, from this response, is
> that it would cause a surge in traffic and overwhelm their server.
> In the first case, expecting client software to remain secret is
> naive, especially when dealing with persistent and well-funded
> adversaries. If security hinges on there being no leaked copies and no
> compromised users, then the game is over. As is the case in general,
> if Haystack connects to a known set of servers or has a distinct
> traffic pattern, running it could make it easier to identify and
> target users.
> As for the claim that releasing the client would overwhelm their
> network with traffic, certainly you could require authentication and
> distribute anonymous access credentials to the end users. If the
> system is that fragile and centralized, how do you prevent the
> adversary from conducting a denial of service attack? It's a losing
> game if you are relying on the location of that server being kept a
> secret.
> Even if we concede that the clients will not be released publicly and
> the source remains closed, it would be prudent to have independent
> experts audit the system design and implementation. It is easy to
> incorrectly implement cryptography and create vulnerabilities. Any
> remote exploits in the client would also be a significant risk.
> I hope that more details will be forthcoming.
> On Fri, Aug 27, 2010 at 11:57 AM, Leila Zia <leilaz at> wrote:
>>   My first e-mail to Austin went only to him and not the list. as a result,
>> his reply to me came only to me, not the list. I am sending you all the
>> reply since couple of you asked. Sorry about the confusion and the delay. I
>> was away from internet for couple of days.
>> Best,
>> Leial
>> Austin's reply:
>> Haystack is *not* available for wide spread distribution in the slightest.
>> We work with a hand-picked (and friend-of-friend,
>> friend-of-friend-of-friend) network of Iran-focused activist groups --
>> generally people one of the members of our team know or trust in real life.
>> If we were to post Haystack online right now, our network would be crushed
>> with demand.
>> Being an all volunteer organization and still having to pay for our
>> bandwidth, fundraise, etc makes it very difficult to meet the huge demand
>> there is for anti-censorship software in Iran.
>> Additionally, our network is locked down to only accept connections from the
>> IP blocks registered to Iran. That way, if a copy gets out, our resources
>> won't be drained by those in other countries looking to mask their
>> activities online.
> _______________________________________________
> liberationtech mailing list
> liberationtech at
> Should you need to change your subscription options, please go to:

More information about the liberationtech mailing list