Who subscribes to the list?
If you're worried that someone might find out who is subscribed to the list by querying some of the majordomos, don't bother. I already have a list of all your IP addresses. Sendmail has a nice feature which checks all the sender or recipient addresses by doing DNS lookups on them. My nameserver is watching you. :) P.S. I'm sure none of you would be foolish enough to use penet-style remailers which do not encrypt the message headers.
-----BEGIN PGP SIGNED MESSAGE----- In <199706070022.RAA04412@myriad.alias.net>, on 06/06/97 at 05:22 PM, ghio@temp0093.myriad.ml.org (Matthew Ghio) said:
If you're worried that someone might find out who is subscribed to the list by querying some of the majordomos, don't bother. I already have a list of all your IP addresses.
Sendmail has a nice feature which checks all the sender or recipient addresses by doing DNS lookups on them. My nameserver is watching you. :)
P.S. I'm sure none of you would be foolish enough to use penet-style remailers which do not encrypt the message headers.
Your point being?? - -- - --------------------------------------------------------------- William H. Geiger III http://www.amaranth.com/~whgiii Geiger Consulting Cooking With Warp 4.0 Author of E-Secure - PGP Front End for MR/2 Ice PGP & MR/2 the only way for secure e-mail. OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html - --------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: cp850 Comment: Registered_User_E-Secure_v1.1b1_ES000000 iQCVAwUBM5issY9Co1n+aLhhAQHS/QP/bLlAVf4ztvKpj+0RlWPRUKMqpUafOjn/ MOQhTwGNQGH0BcbiDuRaUcheJr9rY2MTnFrdocKsJu6nJ9fWnQCwE4RhstxWwrhG /RClFns7NmQikl50DqPPjnAIrmVyPL5OhBU2/nAPicqU9NRaTaNrsFke9W7eitOo PBgtFR4QDBI= =nHzy -----END PGP SIGNATURE-----
William H. Geiger III wrote:
P.S. I'm sure none of you would be foolish enough to use penet-style remailers which do not encrypt the message headers.
Your point being??
While I am sure most readers of this list are well aware that remailed messages which are not encrypted and chained are not secure, there is a class of users who are not yet aware of this fact. I was pointing out the relative ease with which their identities could be compromised by someone simply logging DNS traffic. In addition, there was some recent discussion over whether or not it was possible to obtain the subscriber list from cyberpass.net and algebra.com. Even if the subscriber list is not published, there is an alternative method to determine who subscribes to the list. There are, of course, other methods, such as Return-Receipt headers and embedded html tags, but tracking DNS traffic tends to be easy to do on a wide scale without alerting the subjects that you are investigating.
Matthew Ghio wrote:
William H. Geiger III wrote:
P.S. I'm sure none of you would be foolish enough to use penet-style remailers which do not encrypt the message headers. Your point being??
While I am sure most readers of this list are well aware that remailed messages which are not encrypted and chained are not secure, there is a class of users who are not yet aware of this fact. I was pointing out the relative ease with which their identities could be compromised by someone simply logging DNS traffic. In addition, there was some recent discussion over whether or not it was possible to obtain the subscriber list from cyberpass.net and algebra.com. Even if the subscriber list is not published, there is an alternative method to determine who subscribes to the list.
There are, of course, other methods, such as Return-Receipt headers and embedded html tags, but tracking DNS traffic tends to be easy to do on a wide scale without alerting the subjects that you are investigating.
Another danger of using remailers without encryption is that it is very easy to compromise one's identity due to little mistakes and malformed messages. - Igor.
Igor Chudov @ home wrote:
Another danger of using remailers without encryption is that it is very easy to compromise one's identity due to little mistakes and malformed messages.
Yup, apparently relay.com and reply.com have gotten quite a bit of remailer@replay.com's mail. In fact, relay.com has complained about this several times. (Obviously they were reading the misdirected mail.)
Anonymous wrote:
Igor Chudov @ home wrote:
Another danger of using remailers without encryption is that it is very easy to compromise one's identity due to little mistakes and malformed messages.
Yup, apparently relay.com and reply.com have gotten quite a bit of remailer@replay.com's mail. In fact, relay.com has complained about this several times. (Obviously they were reading the misdirected mail.)
What do remailer operators think about requiring all incoming messages to be encrypted? Would that bring more good than harm? - Igor.
At 08:49 PM 6/6/97 -0500, Igor Chudov @ home wrote:
What do remailer operators think about requiring all incoming messages to be encrypted? Would that bring more good than harm?
For security, you need encryption. There's really no question about it, and a non-encrypted remailer chain is a joke. For convenience, you'd rather not need user-visible encryption, but SSL lets you do an encrypted web interface without the user needing to do any work. The catch is that it becomes much harder to do chained encryption - if the cgi remailer program does it, the connections from the web remailer through the chain are secure, but the user still needs to trust the web-remailer. You may not _want_ too much convenience, to discourage spammers, but you may be willing to tolerate a joke level of security as long as the joke is good enough and enjoyed by enough people.... On the balance, I'd say encrypt. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list or news, please Cc: me on replies. Thanks.)
participants (6)
-
Bill Stewart -
ghio@temp0093.myriad.ml.org -
ghio@temp0094.myriad.ml.org -
ichudov@Algebra.COM -
nobody@REPLAY.COM -
William H. Geiger III