At 06:25 AM 12/8/98 +0100, Anonymous wrote:
Of course, any manufacturer of Internet censorship proxy server software could easily add ians.ml.org to their list of blocked sites (as they have all already done with Anonymizer), so the idea would be for people to get their friends to set up port-forwarding programs on computers that were not blocked by the censoring proxy, and those could be set up to relay requests between the IANS server and the computer behind the proxy server.
It may not be so easy to get people to set up port-forwarding programs. These could be a target for hackers seeking to cover their tracks as they try break-ins.
The ports would only forward Web-based traffic, so an attack would have to be carried out over HTTP. The phf exploit is a notorious example; the IANS was modified early to specifically prevent it from being used for phf exploits. But most other attacks cannot be done just with a Web browser as far as I know. One additional option would be to distribute port-forwarding programs that keep logs of traffic. The standard port-forwarding program for Windows which we plan on recommending, Portpipe, does not do this, but we might write our own version that does.
Also, how many people in this day of commercial ISPs are able to set up port-forwarding programs?
Portpipe can be set up in thirty seconds on a Windows machine. What you need though is a machine that is connected more or less permanently to the Internet.
It would seem more promising to make your web page script be simple and portable enough that even users of AOL and free webpage hosts like GeoCities would be able to install it.
The problem with having lots of people run a copy of IANS is not that it couldn't be made easy to install, but in many cases it might not be even possible to install. Low-end Web page accounts do not allow the running of CGI scripts on the Web server.
I am working on a JavaScript form that could be used on the client side to solve this problem. We would like to use DSA to encrypt the requests sent using IANS, since I've heard DSA can be used for encryption without royalties, unlike, for example, RSA. [...] What you want to do is to use the mathematical principle behind DSA, which is the difficulty of solving the discrete log problem, and use an encryption algorithm which relies on that same math problem, namely Diffie-Hellman or ElGamal encryption. [...] If you need more information about what the various values mean, or how to create a DSA and/or ElGamal key, just ask.
Thanks! Some people had already pointed out to me that ElGamal would be an ideal choice, and was probably what I had in mind when I was looking for "a version of DSA that can be used for encryption". I'll follow the outline of the ElGamal algorithm given at http://www1.shore.net/~ws/Extras/Security-Notes/lectures/publickey.html and the outline given in _Applied Cryptography_ unless you have another recommendation.
Really, ElGamal is simple enough that if you have access to a large-number math package, writing your own is probably easier than trying to get DSA to do it. It is unlikely that you will find a DSA implementation which allows you to specify all the needed parameters above, particularly h and k. Usually h is forgotten after key generation and not used during signature, and implementions will probably want to choose k themselves since it is a very sensitive parameter.
I will probably have to write my own large-number package for JavaScript in order to implement ElGamal. You've given me enough to get started though, thanks! (If I have any more questions, I'll have to post them to the list since you're using the re-mailer :-) but maybe the list population will find this interesting anyway.) -Bennett bennett@peacefire.org (615) 421 5432 http://www.peacefire.org