1994-08-07 - Re: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: dfed07ddadf190f63a31448929d43040307e4381bb1d4fdecdf3e9638c2d3e9e
Message ID: <199408071733.KAA21999@jobe.shell.portal.com>
Reply To: <4194@aiki.demon.co.uk>
UTC Datetime: 1994-08-07 17:32:32 UTC
Raw Date: Sun, 7 Aug 94 10:32:32 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Sun, 7 Aug 94 10:32:32 PDT
To: cypherpunks@toad.com
Subject: Re: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))
In-Reply-To: <4194@aiki.demon.co.uk>
Message-ID: <199408071733.KAA21999@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


jdd@aiki.demon.co.uk (Jim Dixon) writes:
>In message <199408070216.TAA09025@jobe.shell.portal.com> Hal writes:
>> If this idea seems valid, it suggests that the real worth of a network of
>> remailers is to try to assure that there are at least some honest ones
>> in your path.  It's not to add security in terms of message mixing; a
>> single remailer seems to really provide all that you need.
>Yes, in an ideal world.  Each additional remailer introduces another
>chance of being compromised.

Once again I find myself with an understanding that is exactly the opposite
of Jim's.  I must be missing the point of his network design.  In the remailer
networks I am familiar with, each additional remailer introduces another chance
of being uncompromised, rather than being compromised!  Only if all the re-
mailers in the chain are cooperating and logging messages can they recon-
struct the path my message took.  If any one remailer is honest, my message
is successfully mixed with the others.  A design in which any one remailer
in the chain can compromise the privacy of the user seems to have a very
big flaw.

>But in an ideal remailer network operated by real human beings, you cannot
>trust the operator.  You would prefer that at least the points of entry
>and exit from the network be different, because this decreases the
>probability of the message being 'outed' by a very large factor.  If
>you are seriously concerned about legal factors, you would prefer that
>the remailer gateways be in different legal jurisdictions.

Yes, this makes a lot of sense.  Use different jurisdictions to make attacks
by government agencies more difficult, use multiple remailers in a chain,
etc.  I just don't follow the earlier comment which suggests a different
model of information exposure than I use.

Hal





Thread