This is actually old news; Haystack was shut down permanently about two weeks ago, shortly after I read about it. However, this has been nagging me ever since, so I’ll write it down anyway, just to get it out of my head.
The thing that struck me the most about the articles I read about Haystack is that, although some people have questioned the strength of its crypto, no-one pointed out what seems obvious to me:
Haystack cannot possibly work, for reasons which have little to do with cryptography.
I am not an expert, and my knowledge of Haystack is limited to what Jillian York, Evgeny Morozov and a few others have written. I would have been interested to see what Bruce Schneier made of it, but all he’s said is basically “I don’t know enough about it to comment, but go read what Jillian York and Evgeny Morozov have to say about it”. Still, here is a brief summary of my thoughts about Haystack.
[If you’re not already familiar with the basics of cryptography and infosec, I recommend reading Neal Stephenson‘s novel Cryptonomicon, which is a highly entertaining way to learn about them. If you have a copy of Dan Brown’s Digital Fortress, or any novels by Tom Clancy, John Grisham etc. that mention the use of cryptography, burn them; they’re not just inaccurate, they’re pure fantasy and describe systems which are either trivially breakable or provably impossible.]
First, my personal opinion of Heap et al. is that they are essentially clueless. Although I can’t find a direct quote, I recall that Bruce Schneier once said that he regretted writing his seminal work, Applied Cryptography because it gave people who do not understand information security the idea that it was just a small matter of programming. That’s exactly what I think of Heap. Perhaps he’s even read Applied Cryptography.
Haystack is supposedly based on steganography. Steganography works just fine under the right circumstances, but it is a very low-bandwidth communication channel. To successfully hide a message, you need a lot of covertext; or, to put it in other terms, to successfully hide a needle, you need a haystack. That’s fine when the message you’re transmitting is short (e.g. “BEGIN ATTACK ON PEARL HARBOR AT 06:00 TOMORROW” or a tweet), but not when it is, say, a Skype conversation. Let’s use the photo on Jillian York’s blog as a unit of measure; call it a jill. A single second of compressed audio might require two or three jills, at the very least. A copy of this blog post, with all the HTML and CSS frills: around ten or twenty jills. A copy of Haystack: several kilojills (I’m guessing, since I don’t have a copy of Haystack, but my guess is in the low end of the range for a program of that complexity).
Think about it: a typical residential broadband connection in the US or Western Europe can transfer about one jill per second. What kind of bandwidth do these Iranian dissidents have available? I don’t know, but my guess is: a lot less. If Haystack’s steganography is effective, it can not handle a Skype conversation, even a voice-only one.
Furthermore, a Skype client transmits about as much as it receives, while a typical web session transmits very little data and receives a lot. A typical web browser will transmit about two millijills to request a copy of your photo; that’s a 1:500 ratio. Even if a Haystack user has enough bandwidth to carry on a Skype conversation, it would stick out like a sore thumb.
(How the hell did they expect to generate all that innocuous traffic, by the way? I won’t even speculate.)
This brings me to my next argument. Haystack seems to be based on the assumption that Iranian censors aren’t looking for it, or anything else like it. This is infosec fallacy #1: that security is a product, something you can buy and install and you’re good. It’s not. Security is a process, and a continuous process at that. The opposition will adapt, so you must too.
Heap allegedly had a copy of the operating manual for Iran’s internet filter; if so, Haystack was presumably designed to circumvent what that document described. I wonder if it ever occurred to them to question the document’s authenticity, accuracy and completeness.
Haystack has been so widely publicized that if it had gone into production, so to speak, Iranian authorities would most definitely have started looking for it. Actually, if their techs and spooks are any good, they’re already looking—not for Haystack in particular, not even for that type of tool in general, but for suspicious-looking communication patterns. This is called traffic analysis. It doesn’t matter if they can’t figure out what’s being said; I get the impression that they’re not hampered by western notions of due process of law, so anyone who generates suspicious traffic patterns might just disappear, and reappear a few days later with a lot of bruises and a few teeth missing, or simply never reappear at all.
Finally, and most importantly… For Haystack to work, it needs to talk to a proxy server outside Iran that handles encryption and decryption. If Iranian authorities did decide to go after Haystack users in particular, they could simply obtain a copy of the software, pass bogus traffic through it so as to identify Haystack servers, and look for Iranian IPs talking to the same servers. It doesn’t matter if Haystack keeps jumping from one server to another; they have a copy of the exact same software, so they can collect a complete list.
The authors of Haystack should have realized this within five minutes of dreaming it up.
Haystack never had a snowball’s chance in hell.