-----BEGIN PGP SIGNED MESSAGE----- In <199711251009.KAA01273@server.test.net>, on 11/25/97 at 05:09 AM, Adam Back <aba@dcs.ex.ac.uk> said:
Mikhael Frieden <mikhaelf@mindspring.com>
Anonymity At Any Cost by Declan McCullagh (declan@well.com)
When Lance Cottrell created an easy-to-use anonymous e-mail service back in 1994, he feared that nobody would use it. "I used to be worried that people didn't want anonymity enough to pay for it," he says. Today his company, Infonex, boasts 3,000 customers who pay $60 a year to browse the Web without leaving behind digital footprints.
Making the cookie read only and erasing previous additions does the same thing for free. Cottrell is PT Barnum speaking.
That's no where near what the anonymizer does for you.
Absolutly, I can't beleive that Mikhael is *that* clueless.
For $60 Lance gives a years use of an SSL connection to an anonymizing web proxy. That means as well as stripping out the cookies, browser type, and other identifying info -- it means that your IP# isn't even listed, and what's more passive snoops (eg snoopy Feds) of net traffic into and out of infonex might have a bit of problem figuring out who was accessing what under the cover of SSL.
(Modulo traffic analysis -- web traffic is patchy, pauses in transfer will show through the SSL layer, so you would probably be better off browsing the dodgy stuff at peak web usage times, for the cover traffic.)
I think Lance's success with this is tremendously good for privacy, and it is also a positive to see that some people do care enough about privacy to pay for it.
I had posted awhile back when these HTTP proxies first appeared about some inherent security risks with using them. The biggest problem with any proxy agent is one of trust. When one looks at what a proxy agent does one can see the scary potentials for abuse. Lets take the example of the Evil Proxy agent at www.nsa.gov. Case #1 - -- User connects to Evil Proxy sending a request for it to retreive a web page. -- Evil Proxy Logs who is connecting, time, and what web pages they are requesting. -- Evil then retrieves the web pages and transmits them to the user. -- Evil Proxy processes log data periodically to check for either Bad User or Bad Web Page usage and flags such activity for the Lea's. Case #2 - -- User connects to Evil Proxy sending a request for it to retreive a web page. -- Evil Proxy Logs who is connecting, time, and what web pages they are requesting. -- Evil Proxy finds that web page in Bad Web Page list. - -- Evil Proxy returns a forged web page to the user rather than the page that the user requested. (imagine such a proxy being set-up to flag any pgp.zip file requests and returning pgp_nsa_spoof.zip instead.) -- Evil Proxy processes log data periodically to check for either Bad User or Bad Web Page usage and flags such activity for the Lea's. Case #3 (This is theoretical as I am not sure it is possessable with current browsers) - -- User connects to Evil Proxy sending a request for it to retreive a web page. -- Evil Proxy Logs who is connecting, time, and what web pages they are requesting. -- Evil Proxy finds that User in Bad User list. - -- Evil Proxy returns the requested web page but also returns an extra file which is saved to the Users HD without his knowledge (imagine storing some kiddie porn gif's on a political opponents computer). -- Evil Proxy processes log data periodically to check for either Bad User or Bad Web Page usage and flags such activity for the Lea's. A less damming case but still troublesome would be where Evil Proxy was being run by commercial interest rather than governmental: Case #4 (Not much different than Case #1) - -- User connects to Evil Proxy sending a request for it to retreive a web page. -- Evil Proxy Logs who is connecting, time, and what web pages they are requesting. -- Evil then retrieves the web pages and transmits them to the user. -- Evil Proxy processes log data periodically and sells it to whomever want's it (Lea's, Spamford, GM, Microsoft, ... ect). I think that you can see that the security of HTTP Proxies is the same for a single E-Mail remailer. The natural evolution for these proxies is to use chaining and encryption in the same way e-mail is processed through remailers. - -- Chaining of Proxies - -- Multiple Layers of Encryption with the inner most layer being end-to-end encryption. HTTP proxies are good but still have a long way to go. - -- - --------------------------------------------------------------- William H. Geiger III http://users.invweb.net/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBNHrvxo9Co1n+aLhhAQEZ2AP/XToQgVc9bgGZqupPUZUc14cXjiTLTYOn tZFH8qy6fWnOyy6kz+zCZkn6R6rQ9nr7r1VTpVaYpA05hUzocO8YIDUBPlI6ZMBH FJjFE/i3N4NK3IeS4w6nfDh1gV8OmHAB/oX++Fmv0zmLSFAgDDijHEf0LkrNkOTm kwLlF+Pj8OY= =hn/s -----END PGP SIGNATURE-----