TriangleBoy Whitepaper
SEA Tsunami White Papers

Customized Proxy Engine White Papers Privacy & Security Service

TriangleBoy Diagram

Corporations, governments, and other entities can (and frequently do) act as gatekeepers of the Web by blocking access to certain sites that they deem "inappropriate," "offensive," or "objectionable."

In attempt to prevent their citizens from accessing "forbidden" material, dozens of countries (for the most part authoritarian regimes) prohibit their citizens from viewing or publishing content on the Internet that can be construed as violating social, cultural, political, or religious values. News, human rights, religion, and entertainment are popular categories of sites for governments to ban. In most cases, violation of these highly restrictive decrees constitutes a punishable offense.

Authoritarian governments aren't the only ones that like to keep close tabs on users' online traffic. In the United States, for example, workplace surveillance practices threaten employee privacy. A recent survey conducted by American Management Association shows that 63 percent of all companies in the United States monitor their employees' Internet use at work, and 47 percent store and review employee e-mail. Oftentimes, their surveillance activity goes beyond legitimate management concerns.

Because SafeWeb provides an effective means with which Internet users can shield themselves and evade invasive practices such as these, an increasing number of entities -- including the governments of China, Saudi Arabia, Bahrain, and the United Arab Emirates, as well as large financial institutions, schools, and libraries -- have blocked access to SafeWeb.

Triangle Boy is our answer to Internet censorship. Triangle Boy defeats all attempts to prevent users from accessing sites on the Internet. It is a peer-to-peer application that allows users to bypass corporate and government firewalls by serving as an entry point into the SafeWeb network (much like a Napster or Gnutella client).

With Triangle Boy, users everywhere can have free, private and secure access to an uncensored Web.


Server: SafeWeb server that provides anonymous and encrypted surfing. Acts as an intermediary between User and Web site. Utilizes 128-bit SSL encryption and possesses digital certificate identifying itself as ""

User: Anyone who wishes to browse and communicate on the Web anonymously, via an encrypted channel, to avoid monitoring and/or filtering efforts of governments, corporations and other entities. (E.g., a user in Beijing who wants to read unbiased news from Western media outlets which have been blocked by the Chinese government; a corporate user who wants to send a personal message over the Internet without having it intercepted and read by the company's IT staff.)

Volunteer: Anyone who downloads and installs Triangle Boy onto an Internet-connected PC. Currently, Triangle Boy can operate on any PC running Linux or Windows 2000. The Internet connection should be a cable, DSL or other broadband connection. Once Triangle Boy is running, the Volunteer PC (referred to here as Triangle Boy machine) acts as a proxy that enables Users to route around firewalls.

Triangle Boy: A free, peer-to-peer client that volunteers download onto their PCs so that users who are blocked from SafeWeb can circumvent firewalls and access the site. It is a lightweight (less than 1MB) application that works with any PC running Linux or Windows operating systems. Triangle Boy acts as a packet reflector. The name follows from the triangular geometry of the packet flow (see Network Diagram).

Triangle Boy Machine: (see also: Volunteer) A Volunteer's PC that is running Triangle Boy. Enables users to bypass firewalls that block access to SafeWeb (or any other site) by acting as a proxy that forwards requests from User to Server. Since Triangle Boy has no crypto capabilities and is essentially a packet reflector, no data exchanged between User and Server is passed through the Triangle Boy machine.

Basic Operation

User who wishes to go to a blocked site connects to Triangle Boy machine. Triangle Boy machine forwards requests (i.e., reflects packets) to Server along with enough TCP/IP information to allow Server to return packets directly to User.

Server delivers requested content, fully encrypted, directly to the user using IP spoofing technique. Incoming packets from SafeWeb appear to originate from the Triangle Boy machine. (See Network Diagram) Local monitoring of User only reveals an encrypted conversation between User and Triangle Boy machine. It is very difficult for censors to block the Triangle Boy addresses since they would have to block the IP addresses of all Triangle Boy machines. We expect this task to become more difficult since the number of volunteers who download the application is growing daily. In addition, some Triangle Boy machines have dynamic IP addresses, which makes the censor's task even more daunting and the likelihood of success even slimmer.

Users can locate the addresses of Triangle Boy machines in the following ways:

1. Via search engines: Users can find Triangle Boy addresses by typing in keywords such as "SafeWeb" and "Triangle Boy." We will publish subsets of static IP addresses directly to popular search engines. Since search engines are only partially effective at indexing the Web, it is highly unlikely that a corporate or governmental entity will be able to obtain any universal list of Triangle Boy IP addresses for blocking purposes.

2. Via volunteer Web sites: SafeWeb will maintain an up-to-date internal database of dynamic IP addresses of functioning Triangle Boy machines. We will periodically publish this information to volunteer Web sites through simple CGI scripts that link to Triangle Boy machines with dynamic IP addresses. This system of publishing Triangle Boy addresses is perhaps the most effective, since many more people have Web sites than they do control of a server, and we make it easy for them to support Internet freedom.

Security Functions

I. Secure Connection; Public Key Algorithm

Basic Claim: The Triangle Boy machine cannot eavesdrop on the conversation between User and Server.

Explanation: The public key algorithm for secret key exchange used in the SSL protocol establishes a secure, encrypted channel for all data exchanged between the User and Server that prevents any third party from eavesdropping.

During the SSL handshake process, the User and Server exchange information in order to establish a secure channel for data transmission. The exchange can be broken down into the following steps:

A. Server sends public key to User; With this public key, User generates a random number to use as the secret key.

B. User encrypts secret key using Server's public key; User sends the secret key back to Server.

C. Server decrypts the message using its private key in order to obtain the secret key. Only Server can decrypt the message with its private key; the Triangle Boy machine cannot do so since it does not possess the private key.

D. Both User and Server now have the same secret key. The Triangle Boy machine does not possess or have access to the secret key. All ensuing data exchanges between User and Server during this session are encrypted and decrypted using the secret key.

II. Server Authentication; Digital Certificates

As part of the SSL handshake, User's browser will check whether the name specified on Server's digital certificate matches the domain name of the site to which User is connected. This enables User to verify the identity of the server involved in the secure exchange.

In a connection established through Triangle Boy, this check will fail because the IP address is that of the Triangle Boy machine, while the digital certificate received from Server says ""

User will receive a warning ("Security Alert"). In the case of IE 5.0 the warning reads:

"[T]here is a problem with the site's security certificateŠ. The name on the security certificate does not match the name of the site."

This automatic warning allows User to inspect the digital certificate and ensure that they are actually connected to SafeWeb and not to a fake server or a fake Triangle Boy machine.

It is important for Users to check the digital certificate each time they use a Triangle Boy machine to prevent snooping by impostors.

Technical Summary

Users anywhere can connect to SafeWeb by first accessing a Triangle Boy machine. IP-based blocking is made very difficult, if not impossible.

The connection between User and Server is fully encrypted and secure; the Triangle Boy machine cannot eavesdrop on the conversation.

Users receive an automatic warning that encourages them to inspect the digital certificate of the server to ensure that they are not connected to a fake Triangle Boy machine.


General: Triangle Boy promotes democracy by protecting the right to privacy and free speech of Internet users worldwide. Because every individual with Internet access now has the ability to publish and/or access any content on the Web anonymously and securely through a protected layer of encryption, Triangle Boy has the potential to change the way the Internet is used throughout the world.

1. Government control of individual Internet usage is weakened. This may result in the creation of a free and unregulated virtual press in closed societies throughout the world.

2. Employers' efforts to control Internet usage of their employees through the use of monitoring and filtering technologies may be thwarted. Employees will be able to protect themselves against invasive workplace monitoring.

3. Censorware employed by schools and libraries may become obsolete since it is readily circumvented using Triangle Boy and SafeWeb.