From: anonymous-remailer@shell.portal.com
Date: Wed, 8 Nov 1995 13:21:55 +0800
To: cypherpunks@toad.com
Subject: PGP Comment feature weakens remailer securityPGP Comment feature weakens remailer security
Message-ID: <199511080454.UAA05765@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Suppose you want to mail or post something sensitive enough
to chain through several remailers with PGP encryption at every stage
to protect the privacy of communications.  PGP can bite you.
The PGP comment feature lets you stick one (or more?) lines of comment
into your encrypted messages, after the Version: line but before the
encrypted message body.  If you use the PGP comment feature to say something
more or less unique (mine says that you can get PGP outside the country
from ftp.ox.ac.uk), anybody eavesdropping the last remailer in your chain
can notice this in the remailer's input and recognize that it's from you,
even though you've chained through six different places to get there.
It's still encrypted, and protected to the extent that the remailer protects
you, but if the remailer is corrupt or your message can be identified 
by size among the other remailer inputs, you're hosed.

So, for safety, either turn off PGP comments before using it 
with remailers, or wipe out the comments by hand  before each layer of encryption
(easy to do with GUI-based systems like Private Idaho; I don't know
if premail lets you do this or not.)

                                      Bill Stewart

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
Comment: PGP available outside U.S.A. at ftp.ox.ac.uk

iQBVAwUBMKAgw/thU5e7emAFAQFStwH/QnIiiaeSmUp1YynDBLVo3HAWsVkS0nx8
Fc95Mr0YJ/YIoRDz+xuNgLHbjJZSTUbhOnigMRb7JLNqhmCGvS5RBQ==
=ZWhB
-----END PGP SIGNATURE-----

#---
#                                       Thanks;  Bill
# Bill Stewart, Freelance Information Architect, stewarts@ix.netcom.com
# Phone +1-510-247-0664 Pager/Voicemail 1-408-787-1281
#---