From: "E. ALLEN SMITH" <EALLENSMITH@ocelot.Rutgers.EDU>
Date: Wed, 29 May 1996 19:54:59 +0800
To: hfinney@shell.portal.com
Subject: Re:  Remailer chain length?
Message-ID: <01I59JCT7T2Q8Y5191@mbcl.rutgers.edu>
MIME-Version: 1.0
Content-Type: text/plain


From:	IN%"hfinney@shell.portal.com"  "Hal" 28-MAY-1996 21:35:03.17

>Or better still, run one remailer on the machine, and use it multiple
>times in the chain.  It seems to me that one remailer on a machine is
>better than several because it will allow more mixing of messages.  If
>two messages enter a machine and later leave, it may be possible to
>distinguish them if they went to different remailers and left with
>different From: addresses (or other header fields) as a result.  If they
>had both gone to the same remailer it would be harder to tell them
>apart.

	But you could get a massive amount of mixing of messages, by this
logic, simply by having 1 gigantic remailer. It'd have a vast traffic flow
and could do a lot of latency, etcetera. But this also means that whoever
runs it can trace everything - and whoever breaks into it can trace everything.
While multiple remailers on the same machine isn't ideal for this purpose (if
root is cracked, they all are cracked), it's better for this aspect than 1
remailer; root can be assumed to be harder to crack than a non-root-account
remailer. Moreover, this is assuming one machine, or an interlinked group of
machines set up such that there is one root account for all of them; separating
the remailers into machines with different roots would help. The rubber-hose
attack on the sysadmin is still a problem, though.
	-Allen