Remember Haystack, that software tool developed by the Censorship Research Center for distribution to Iranian dissidents so they could get around the government’s Internet filters during the presidential election uproar last year? Its heart was in the right place, but its technology apparently wasn’t. Third-party security experts testing the tool say that it contains flaws that could actually lead authorities right to the very people its supposed to protect.
Jacob Appelbaum, a Wikileaks volunteer and security expert, sounded the alarm after he and colleagues busted through Haystack’s privacy barriers in just six hours. Haystack is supposed to encrypt a user’s Web traffic and hide it within other state-approved traffic, so that it flows right through stringent Web filters set up by the government along with other innocuous traffic.
According to Appelbaum, the flaws don’t just fail to hide users’ traffic, but could actually alert authorities that you are firing up the software. That, in turn, could lead authorities right to dissidents using the software, which is not permitted by the state. “This is a system that’s so fragile, I can barely tell you how it operates without being extremely worried about the people who may have used it who had no idea that they were being put at risk,” Appelbaum said to Technology Review. “It’s incredible, and incredibly terrible.”
Haystack’s creators have halted distribution of the tool and are trying to warn users not to use the software. But Appelbaum was able to obtain a copy days after the CRC said they’d stopped supporting Haystack, so it’s fairly clear that the program is still circulating. A new version of Haystack is apparently on the way, one that will be mostly open source so third-party testers can give it a rigorous vetting. In the meantime, take it from Appelbaum and the CRC: if you’re using Haystack, stop right now and destroy your copy.