NPR is at it again...
Some commie law professor broad :-) is talking about how there oughtta be a law against anonymous remailers, deja news, and various forms of "illegal" email... The ganglia twitch... Cheers, Bob Hettinga ----------------- Robert A. Hettinga <mailto: rah@philodox.com> Philodox Financial Technology Evangelism <http://www.philodox.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
Some commie law professor broad :-) is talking about how there oughtta be a law against anonymous remailers, deja news, and various forms of "illegal" email... The ganglia twitch...
like hotmail and yahoo mail??? these are *awesome* remailers. I picked up a yahoo mail account recently and am blown away with all the *FEATURES*!! separate folders, filtering, external mailboxes support through POP, binary attachments, my gosh!!!!! my cup runneth over, for free, TOTALLY ANONYMOUS check it out cpunks, a cpunk wet dream!! trust me on this one, it's not going away. it's a LUCRATIVE business worth millions a year. there was a recent conference under a year ago (or more, maybe I can't remember) by the AAAS (am. assoc. adv. science) on anonymity with academics/papers/talks and everything. did anyone check that out? do they have a web page??? and stop twitching your ganglia, it's really creepy!!!
Some commie law professor broad :-) is talking about how there oughtta be a law against anonymous remailers, deja news, and various forms of "illegal" email... >>The ganglia twitch...
like hotmail and yahoo mail??? these are *awesome* remailers. I picked up a yahoo mail account recently and am blown away with all the *FEATURES*!! separate folders, filtering, external mailboxes support through POP, binary attachments, my gosh!!!!! my cup runneth over, for free, TOTALLY ANONYMOUS check it out cpunks, a cpunk wet dream!!
They're NOT SECURE! But Web anonymizers can fix most of the holes. In particular, Hotmail + www.anonymizer.com is a reasonable substitute for the old penet.fi remailer. There are scurrilous rumors that some people actually put bogus information on their free email accounts! (My cat certainly didn't do that :-) But the portal services can keep records of who's connecting to them, at least by IP address, which can be traced back to ISPs, and from there back to phone lines, etc., depending on the extent of records the various ISPs keep. It's not enough without anonymizers. I suspect this is what will replace the current remailer system - chaining through some set of Crowds, Onions, and commercial and free anonymizers to reach a free email system to transmit and receive email. An interesting project would be a free low-volume anonymizer cgi for Apache, given the large number of current users and the much larger number of people who will run web servers once they have cable modems. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
On Wed, 11 Nov 1998, Bill Stewart wrote:
I suspect this is what will replace the current remailer system - chaining through some set of Crowds, Onions, and commercial and free anonymizers to reach a free email system to transmit and receive email. An interesting project would be a free low-volume anonymizer cgi for Apache, given the large number of current users and the much larger number of people who will run web servers once they have cable modems.
How do you do chaining with a cgi? -- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred.
At 11:47 PM 11/11/98 +0100, Lucky Green wrote:
On Wed, 11 Nov 1998, Bill Stewart wrote:
An interesting project would be a free low-volume anonymizer cgi for Apache, given the large number of current users and the much larger number of people who will run web servers once they have cable modems. How do you do chaining with a cgi?
Looks easy enough to do, if a bit ugly, where "ugly" is somewhat equivalent to "build yet another local proxy widget to hide the gory details", though it's not really much uglier than doing a good anonymizer, and getting details like cookies and Java/script right are harder. Define "encrypted" as "PGP or something like it". It may be possible to gain some efficiencies by using SSL, but not critical. Take a cgi script and use POST to hand it an encrypted block containing: Response-Key: HTTP Request, either vanilla URL or cgi URL with GET or POST data. Maybe some digicash Maybe some additional data The script fetches the URL, handing along any data, packages the response in HTTP reply format, and encrypts it with the response key for the client proxy to unpack. To chain these, have the client nest the requests, doing a URL that points to another anonymizer script and POSTs an encrypted block. Eventually you'll get to a non-anonymizing URL; it may be interesting to include any expected cookies in the block, so the client can hand them to the destination web server, or to gain some efficiencies by having the cgi script fetch any IMG requests, and sending a bundle of HTTP reply packets instead of just a single one. The problems - - How can easily can you break the system? --- Does it leave too many open connections that can be followed? --- Does the decreasing size of the requests and increasing size of responses make it too easy to trace? --- What other obvious security holes are there? - Timeouts or other problems? - Denial of service attacks? Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Sorry for the slow reply. Any http anonymizer not using link padding is subject to trivial traffic analysis. See the "Pipe-net" thread in the archive. Also see the graphs at http://www.onion-router.net/Vis.html What makes the graphs all the more impressive is that the OR people used to argue against my claim that you need link padding. They don't argue any more. ;-) --Lucky On Sat, 14 Nov 1998, Bill Stewart wrote:
At 11:47 PM 11/11/98 +0100, Lucky Green wrote:
On Wed, 11 Nov 1998, Bill Stewart wrote:
An interesting project would be a free low-volume anonymizer cgi for Apache, given the large number of current users and the much larger number of people who will run web servers once they have cable modems. How do you do chaining with a cgi?
Looks easy enough to do, if a bit ugly, where "ugly" is somewhat equivalent to "build yet another local proxy widget to hide the gory details", though it's not really much uglier than doing a good anonymizer, and getting details like cookies and Java/script right are harder.
Define "encrypted" as "PGP or something like it". It may be possible to gain some efficiencies by using SSL, but not critical. Take a cgi script and use POST to hand it an encrypted block containing: Response-Key: HTTP Request, either vanilla URL or cgi URL with GET or POST data. Maybe some digicash Maybe some additional data The script fetches the URL, handing along any data, packages the response in HTTP reply format, and encrypts it with the response key for the client proxy to unpack.
To chain these, have the client nest the requests, doing a URL that points to another anonymizer script and POSTs an encrypted block. Eventually you'll get to a non-anonymizing URL; it may be interesting to include any expected cookies in the block, so the client can hand them to the destination web server, or to gain some efficiencies by having the cgi script fetch any IMG requests, and sending a bundle of HTTP reply packets instead of just a single one.
The problems - - How can easily can you break the system? --- Does it leave too many open connections that can be followed? --- Does the decreasing size of the requests and increasing size of responses make it too easy to trace? --- What other obvious security holes are there? - Timeouts or other problems? - Denial of service attacks?
Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
-- Lucky Green <shamrock@cypherpunks.to> PGP v5 encrypted email preferred.
On Sat, 14 Nov 1998, Bill Stewart wrote:
At 11:47 PM 11/11/98 +0100, Lucky Green wrote:
On Wed, 11 Nov 1998, Bill Stewart wrote:
An interesting project would be a free low-volume anonymizer cgi for Apache, given the large number of current users and the much larger number of people who will run web servers once they have cable modems. How do you do chaining with a cgi?
Looks easy enough to do, if a bit ugly, where "ugly" is somewhat equivalent to "build yet another local proxy widget to hide the gory details", though it's not really much uglier than doing a good anonymizer, and getting details like cookies and Java/script right are harder.
Could something like Hot Lava's proxy http://www.hotlava.com/software/ be a good starting point? --Steve
participants (5)
-
Bill Stewart -
Lucky Green -
Robert Hettinga -
Steve Schear -
Vladimir Z. Nuri