Corporations, governments, and other entities can (and frequently do)
act as gatekeepers of the Web by blocking access to certain sites that
they deem "inappropriate," "offensive," or "objectionable."
In attempt to prevent their citizens from accessing "forbidden"
material, dozens of countries (for the most part authoritarian regimes)
prohibit their citizens from viewing or publishing content on the
Internet that can be construed as violating social, cultural, political,
or religious values. News, human rights, religion, and entertainment are
popular categories of sites for governments to ban. In most cases,
violation of these highly restrictive decrees constitutes a punishable
Authoritarian governments aren't the only ones that like to keep close
tabs on users' online traffic. In the United States, for example,
workplace surveillance practices threaten employee privacy. A recent
survey conducted by American Management Association shows that 63
percent of all companies in the United States monitor their employees'
Internet use at work, and 47 percent store and review employee e-mail.
Oftentimes, their surveillance activity goes beyond legitimate
Because SafeWeb provides an effective means with which Internet users
can shield themselves and evade invasive practices such as these, an
increasing number of entities -- including the governments of China,
Saudi Arabia, Bahrain, and the United Arab Emirates, as well as large
financial institutions, schools, and libraries -- have blocked access to
Triangle Boy is our answer to Internet censorship. Triangle Boy defeats
all attempts to prevent users from accessing sites on the Internet. It
is a peer-to-peer application that allows users to bypass corporate and
government firewalls by serving as an entry point into the SafeWeb
network (much like a Napster or Gnutella client).
With Triangle Boy, users everywhere can have free, private and secure
access to an uncensored Web.
Server: SafeWeb server that provides anonymous and encrypted
surfing. Acts as an intermediary between User and Web site. Utilizes
128-bit SSL encryption and possesses digital certificate identifying
itself as "www.safeweb.com."
User: Anyone who wishes to browse and communicate on the Web
anonymously, via an encrypted channel, to avoid monitoring and/or
filtering efforts of governments, corporations and other entities.
(E.g., a user in Beijing who wants to read unbiased news from Western
media outlets which have been blocked by the Chinese government; a
corporate user who wants to send a personal message over the Internet
without having it intercepted and read by the company's IT staff.)
Volunteer: Anyone who downloads and installs Triangle Boy onto an
Internet-connected PC. Currently, Triangle Boy can operate on any PC
running Linux or Windows 2000. The Internet connection should be a
cable, DSL or other broadband connection. Once Triangle Boy is running,
the Volunteer PC (referred to here as Triangle Boy machine) acts
as a proxy that enables Users to route around firewalls.
Triangle Boy: A free, peer-to-peer client that volunteers
onto their PCs so that users who are blocked from SafeWeb can
firewalls and access the site. It is a lightweight (less than
that works with any PC running Linux or Windows operating
Boy acts as a packet reflector. The name follows from the
of the packet flow (see
Triangle Boy Machine: (see also: Volunteer) A Volunteer's
PC that is running Triangle Boy. Enables users to bypass firewalls that
block access to SafeWeb (or any other site) by acting as a proxy that
forwards requests from User to Server. Since Triangle Boy has no crypto
capabilities and is essentially a packet reflector, no data exchanged
between User and Server is passed through the Triangle Boy machine.
User who wishes to go to a blocked site connects to Triangle Boy
Triangle Boy machine forwards requests (i.e., reflects packets) to
Server along with enough TCP/IP information to allow Server to return
packets directly to User.
Server delivers requested content, fully encrypted, directly to
using IP spoofing technique. Incoming packets from SafeWeb
appear to originate
from the Triangle Boy machine. (See
Network Diagram) Local monitoring of User only reveals an
conversation between User and Triangle Boy machine. It is very
for censors to block the Triangle Boy addresses since they would
to block the IP addresses of all Triangle Boy machines. We
task to become more difficult since the number of volunteers who
the application is growing daily. In addition, some Triangle Boy
have dynamic IP addresses, which makes the censor's task even
and the likelihood of success even slimmer.
Users can locate the addresses of Triangle Boy machines in the following
1. Via search engines: Users can find Triangle Boy addresses by
typing in keywords such as "SafeWeb" and "Triangle Boy." We will publish
subsets of static IP addresses directly to popular search engines. Since
search engines are only partially effective at indexing the Web, it is
highly unlikely that a corporate or governmental entity will be able to
obtain any universal list of Triangle Boy IP addresses for blocking
2. Via volunteer Web sites: SafeWeb will maintain an up-to-date
internal database of dynamic IP addresses of functioning Triangle Boy
machines. We will periodically publish this information to volunteer Web
sites through simple CGI scripts that link to Triangle Boy machines with
dynamic IP addresses. This system of publishing Triangle Boy addresses
is perhaps the most effective, since many more people have Web sites
than they do control of a server, and we make it easy for them to
support Internet freedom.
I. Secure Connection; Public Key Algorithm
Basic Claim: The Triangle Boy machine cannot eavesdrop on the
conversation between User and Server.
Explanation: The public key algorithm for secret key exchange
used in the SSL protocol establishes a secure, encrypted channel for all
data exchanged between the User and Server that prevents any third party
During the SSL handshake process, the User and Server exchange
information in order to establish a secure channel for data
transmission. The exchange can be broken down into the following steps:
A. Server sends public key to User; With this public key, User
generates a random number to use as the secret key.
B. User encrypts secret key using Server's public key; User sends the
secret key back to Server.
C. Server decrypts the message using its private key in order to obtain
the secret key. Only Server can decrypt the message with its private
key; the Triangle Boy machine cannot do so since it does not possess the
D. Both User and Server now have the same secret key. The Triangle
Boy machine does not possess or have access to the secret key. All
ensuing data exchanges between User and Server during this session are
encrypted and decrypted using the secret key.
II. Server Authentication; Digital Certificates
As part of the SSL handshake, User's browser will check whether the name
specified on Server's digital certificate matches the domain name of the
site to which User is connected. This enables User to verify the
identity of the server involved in the secure exchange.
In a connection established through Triangle Boy, this check will fail
because the IP address is that of the Triangle Boy machine, while the
digital certificate received from Server says "www.safeweb.com."
User will receive a warning ("Security Alert"). In the case of IE 5.0
the warning reads:
"[T]here is a problem with the site's security certificateŠ. The name on
the security certificate does not match the name of the site."
This automatic warning allows User to inspect the digital certificate
and ensure that they are actually connected to SafeWeb and not to a fake
server or a fake Triangle Boy machine.
It is important for Users to check the digital certificate each time
they use a Triangle Boy machine to prevent snooping by impostors.
Users anywhere can connect to SafeWeb by first accessing a Triangle Boy
machine. IP-based blocking is made very difficult, if not impossible.
The connection between User and Server is fully encrypted and secure;
the Triangle Boy machine cannot eavesdrop on the conversation.
Users receive an automatic warning that encourages them to inspect the
digital certificate of the server to ensure that they are not connected
to a fake Triangle Boy machine.
General: Triangle Boy promotes democracy by protecting the
right to privacy and free speech of Internet users worldwide. Because
every individual with Internet access now has the ability to publish
and/or access any content on the Web anonymously and securely through a
protected layer of encryption, Triangle Boy has the potential to change
the way the Internet is used throughout the world.
1. Government control of individual Internet usage is weakened. This
may result in the creation of a free and unregulated virtual press in
closed societies throughout the world.
2. Employers' efforts to control Internet usage of their employees
through the use of monitoring and filtering technologies may be
thwarted. Employees will be able to protect themselves against invasive
3. Censorware employed by schools and libraries may become obsolete
since it is readily circumvented using Triangle Boy and SafeWeb.