From: Bill Stewart <bill.stewart@pobox.com>
Date: Mon, 8 Jun 1998 03:59:22 +0800
To: Sprokkit Amhal <sprokkit@hotmail.com>
Subject: Re: anonymous mailboxes
In-Reply-To: <19980604193606.27765.qmail@hotmail.com>
Message-ID: <3.0.5.32.19980607021342.008b1370@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



>On Thu, 4 Jun 1998, Sprokkit Amhal wrote:
>> anonymous email boxes, whereby a user can receive email and even a 
>> traffic analysis attacker is unable to glean information about who 
>> received what when.  I forget exactly what ve called vis method...

One way to do pseudonymous email boxes is to use a web-based
mailbox server such as hotmail and pick up the mail through
anonymizers or onion routers.  Obviously you need SSL for the
anonymizer connections, and for the mailbox connection as well,
and the name of the mailbox needs to be in the encrypted portion
of the SSL requests rather than in the sniffable URL parts.
The main threat is eavesdroppers watching the anonymizers
over a period of time, picking up patterns that may not show
during a single mail pickup.  So you need enough anonymizers out there, 
or enough cover traffic on a smaller number of anonymizers, 
but it should basically be doable.

It also helps if you can send mail to the mailer using the web,
with SSL and chains of anonymizers to do it, to protect the sender,
but anonymous remailers can also solve that problem.
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639