Lance Detweiler writes:
You have these security threats which involve people being tricked into sending messages through the remailer in such a way that the recipient knows the true email address from where the messages are coming.
These are completely analogous to users being tricked into supplying passwords in regular login situations. Not a new problem. And anybody who hasn't figured out that you should *never* put any identifying information in the message itself is probably a little too clueless to be using the service in the first place. However, the idea of giving a warning in the use introduction is ok: ``under NO CIRCUMSTANCES EVER DO THIS'' type thing.
It's not that simple. "Deadbeat" reported that he discovered this problem when he sent mail via Penet to a list member asking a question. When that person replied, it exposed his anonymous ID. There was no need to put identifying information in the message itself. The mere fact that a particular message is being replied to gives away the true email address of the sender (because that is the address to which the question was directed). This means that if you receive mail asking an innocent question, like, "what is the address to subscribe to cypherpunks?", you need to be aware of whether that question came from the Penet remailer or one like it. If so, you need to take extra care when you respond so that your anonymous ID is not revealed.
The problem is that the anonymity is implicitly requested by a message to the server. Hence replies are getting this anonymity. One possibility is an override switch in the header that leaves it entirely intact and the server just acts like another hub forwarder. But what is this `harm'? We have to recognize these complaints as completely frivolous and without merit.
I don't think so. It seems to me that the current system makes it easy to accidentally expose your anonymous ID. If more people start operating pseudonym-based remailers it will be that much more difficult to keep track of whether you want to be anonymized or not. I think technical solutions are needed along the lines suggested by Eric Hughes and Deadbeat. Hal P.S. How about Deadbeat posting a public key? He keeps signing his messages but I can't check them.