From: daw@cs.berkeley.edu (David Wagner)
Date: Sat, 27 Apr 1996 15:33:02 +0800
To: cypherpunks@toad.com
Subject: Re: An idea for refining penet-style anonymous servers
In-Reply-To: <Uc5fx8m9LojB085yn@netcom.com>
Message-ID: <4lrtrv$dq@joseph.cs.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


In article <Uc5fx8m9LojB085yn@netcom.com>,
Alan Bostick <abostick@netcom.com> wrote:
>                                          Authorities cannot use a search
> for one identity as an excuse for a fishing expedition in the address
> database.   [...]
> There is a way that attackers who have seized or copied the database can
> search it - by trying it out on anonymous IDs, or user addresses, until
> they hit paydirt.

So maybe this is an incremental improvement over the penet model,
but I'm not yet convinced that it's really a gigantic advance.

The threat model I'm most worried about is this: I post a Co$
document about clams & volcanos, under a nym.  The Co$ has enough
lawyers to subvert any justice system; they might be pissed off
enough to target me.  I don't want them to recover my name.

As you point out, your improvement can't protect against this scenario.

Maybe it can help protect others, so that when the Co$ scum steal
the database, they can't compromise everyone who's ever used penet.
But I'm not convinced-- what if the Co$ do a DejaNews search for
'anon*@penet.fi' and use each hit to query the database?  I think
they'll be able to break the anonymity of nearly everyone in the
database.


So I'll make another proposal, to try to be constructive.

Write a program to translate between penet-style remailers and
mixmaster/alpha style remailers.  Set up a service which automatically
creates a chain of nyms for you, with encryption at all the
mixmaster/alpha - to - mixmaster/alpha links.

People seem to (like / be familiar with / be willing to use) the
penet style interface-- so use the penet syntax as the interface
to the user, so the user doesn't have to know anything about what
the remailers are doing behind his back.  (Or use some *simple*
Java/html-forms/... interface.)

Advantages: to figure out the link between a nym and the real person,
you have to compromise a whole chain of remailers (except for the
following drawback).  the nym<->person database is distributed,
so is less susceptible to attack.

Drawbacks: this doesn't encrypt the link between the user and the
first remailer, so if Co$ can sniff on the link between you and
your first remailer, you're screwed.  This is still an improvement
over vanilla penet.fi-- the Co$ has better lawyers than wiretappers,
I suspect-- and you can also make sure your first link is just a
couple of hops away.  One might also contemplate using Hal's java
applet to automatically pgp encrypt the first link (so you only
have to assume that the web server you got the applet from is
trustworthy, and that the Co$ isn't doing active attacks on you).

This is still a compromise between security & usability, unfortunately.

Comments?