I gather from the FAQ that this software consists of a client and servers (both closed-source). The servers are operated by the Haystack people in safe countries. The client appears like an HTTP proxy to the user's web browser, but then it encrypts the user's web traffic and hides it among innocuous traffic, some or all of which goes to the Haystack servers.
I still don't get how the client traffic is supposed to look unconspicuous while still most of it goes to Haystack servers. Do they pad their client-server traffic with ten times as much Google searches for cute kitty pictures? If not, what keeps the suppressive government from installing their own Haystack client on a spare computer and blacklisting every server the client connects to as an illegal proxy?
It sounds interesting but I wonder about the focus only on Iran, while other countries notoriously suffer from censorship too. (China, North Korea…)
Also, from the FAQ:
7. Is Haystack Open Source Software?
No. Although we sincerely wish we could release Haystack under a free software license, revealing the source code at this time would only aide the authorities in blocking Haystack. In the future, however, we would like to find a way to reconcile our Free Software ideals with the necessity of frustrating the efforts of those who would block Haystack.
They sound sincere and it seems that they've really thought about that aspect but it seems to me that by being closed-source, users have to trust that their intentions are good (looks like it's the case, but who knows?), but also that they know what they're doing and that connections are indeed undetectable.
I'm not saying that's not the case, but I feel like the target users are exactly the ones who can't be as willy-nilly as many are with Facebook for example.
Haystack hides traffic to any from the internet at large inside traffic that looks like perfectly normal web connections to innocuous sites.
I don't get it. How is "hiding" this traffic amongst other innocuous traffic going to defeat, say, ngrep looking for connection to the haystack servers.
At some point you're going to have a tcp connection from client to haystack server...
A strange project. They are asking for donations, but there is no software to download and no real indication that this actually works.
Also, there's no description of the protocol/algorithm used nor do they plan to be open source. So, we have no way of evaluating its effectiveness or security.
But he did get lots of press for himself. Well done. Now shut up and ship.
I still don't get how the client traffic is supposed to look unconspicuous while still most of it goes to Haystack servers. Do they pad their client-server traffic with ten times as much Google searches for cute kitty pictures? If not, what keeps the suppressive government from installing their own Haystack client on a spare computer and blacklisting every server the client connects to as an illegal proxy?