1993-02-23 - Anon address attack…

Header Data

From: Hal <74076.1041@CompuServe.COM>
Message Hash: 29251b917749671ccdfed35c19aba3f5708727e623d9dc9fb69fd13e46efca5c
Message ID: <93022302210774076.1041_DHJ66-1@CompuServe.COM>
Reply To: _N/A

UTC Datetime: 1993-02-23 03:25:06 UTC
Raw Date: Mon, 22 Feb 93 19:25:06 PST

Raw message

From: Hal <74076.1041@CompuServe.COM>
Date: Mon, 22 Feb 93 19:25:06 PST
Subject: Anon address attack...
Message-ID: <930223022107_74076.1041_DHJ66-1@CompuServe.COM>
MIME-Version: 1.0
Content-Type: text/plain


It seems like there are several problems that arise from this "automatic"
anonymization of messages sent through the Penet remailer.

You have these security threats which involve people being tricked into
sending messages through the remailer in such a way that the recipient
knows the true email address from where the messages are coming.

(I think that is what happened here with "deadbeat", because otherwise
why would he have asked people to send their email addresses?  He wouldn't
need email addresses since he could reply to people without knowing them,
by just using a "reply" command in his mailer.)

(It's interesting that he also sent his message via one of the Cypherpunks
remailers.  Maybe he thought they worked like the Penet remailer and
he could break anonymity on those as well.)

Another problem that people have complained about is when they respond
to an anonymous posting, they get a message from Penet saying that they
now have an anonymous ID assigned.  This confuses and bothers some people.

We had some debate about this issue here several months ago (before
Penet was operating, I think).  One question is, if I send mail to
anonymous person A, does that mean or imply that I should be made
anonymous to A?  This is to some extent a matter of expectations.  Some
people argued that should be no expectation of anonymity in this case;
A is the one who wants to be anonymous, not the people who are sending
to him/her.  Others replied that since some anonymous remailers already
worked this way, there would be an expectation of anonymity, and so
the safest assumption was to anonymize all messages since people can
always override the anonymity by revealing their true addresses.

I think these attacks on Penet re-open these questions.  Evidentally
there is positive harm that can occur by automatically anonymizing
all messages which pass through a remailer.

(BTW, I certainly don't mean here to be presuming to tell Julf what
he should or should not do with Penet.  I'm just taking that as an
example.  We have discussed adding similar functionality to our Cypher-
punks remailers.

The main problem occurs when sending a message to an anonymous Penet
address.  For the other uses of the Penet remailer, for anonymous posting
and for mail to a non-anonymous address, it's more reasonable to assume
that anonymization is desired.  (Otherwise, why would they be using
the service?)  But when sending a message to an anonymous address,
it's not known whether the sender wants to be anonymized or not.

One possibility (which might not be that easy technically) would be to
assign a new anonymous ID for each such message through the Penet server.
This means that you would get a _different_ anonymous ID for each
of these messages, preventing an attacker from pairing up your "usual"
posting ID with your email address.  (Perhaps this anonymous ID
creation could be suppressed with another X- command, as proposed
earlier, but this could be the default behavior.)  It might be hard
to keep track of that many anonymous ID's, but perhaps they could be
kept active for only a limited period of time (several weeks or months)
and retired after that.

It might seem that people should just be careful about what they
send through Penet, but there are some problems with this.  What do
you do if you get a message from an5877@anon.penet.fi asking for
advice on cryptography mailing lists?  If you reply, your questioner
can figure out who the reply is coming from, and sees your Penet
alias.  There is no way to prevent this from happening currently.

Also, I have seen proposals that anonymous ID's should be made less
recognizable, so that instead of an5877@anon.penet.fi we would have
joe@serv.uba.edu.  In such a situation it might be tedious to
scrutinize every email address we send to (via replies, for example)
to make sure it isn't a remailer where you have an anonymous ID.

All in all, I think some changes need to be made in how anonymous
addresses are used and implemented in order to provide reasonable
amounts of security.

Hal Finney

Version: 2.1