Ask for Alice: Online Covert Distress Signal in the Presence of a Strong Adversary

TL;DR

This paper introduces a covert distress signaling protocol using TLS handshakes that enables users to secretly alert trusted parties while under surveillance, with minimal overhead and high security against strong adversaries.

Contribution

The paper presents a novel protocol leveraging TLS handshakes for covert distress signals, compatible with existing websites and resistant to detection by powerful adversaries.

Findings

Protocol successfully conceals distress signals within normal TLS traffic

Security analysis proves adversary cannot distinguish distress signals from regular communication

Minimal computational overhead for website participation

Abstract

In this paper we propose a protocol that can be used to covertly send a distress signal through a seemingly normal webserver, even if the adversary is monitoring both the network and the user's device. This allows a user to call for help even when they are in the same physical space as their adversaries. We model such a scenario by introducing a strong adversary model that captures a high degree of access to the user's device and full control over the network. Our model fits into scenarios where a user is under surveillance and wishes to inform a trusted party of the situation. To do this, our method uses existing websites to act as intermediaries between the user and a trusted backend; this enables the user to initiate the distress signal without arousing suspicion, even while being actively monitored. We accomplish this by utilising the TLS handshake to convey additional information; this means that any website wishing to participate can do so with minimal effort and anyone monitoring the traffic will just see common TLS connections. In order for websites to be willing to host such a functionality the protocol must coexist gracefully with users who use normal TLS and the computational overhead must be minimal. We provide a full security analysis of the architecture and prove that the adversary cannot distinguish between a set of communications which contains a distress call and a normal communication.