semi-anon test from a throwaway account part deux

Trei, Peter ptrei at rsasecurity.com
Wed Mar 28 15:53:03 PST 2001


> Jim Choate[SMTP:ravage at einstein.ssz.com] wrote: 
> On Wed, 28 Mar 2001, Anonymous Coredump wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > 
> > On Wed, 28 Mar 2001, Morlock Elloi wrote:
> > 
> > > There is no anonymizer/webmail combination that works, AFAIK. The
> barrier
> > > are the cookies. They're not stoopid.
> > 
> > Anonymizer.com does cookie blocking with the premium accounts, I
> believe.
> 
> And now they have your credit card #...
> 
Jim: You really don't like to let facts to get in the way of your 
brilliance, do you?

Check: https://www.anonymizer.com/signup/sign_up.shtml. To quote:

----------------------------
Step 2: Please select a method of payment
Method of payment:

[ ]  Visa or Mastercard 
[ ]  PayPal, Cash, Check, or Money Order 

Should you wish to pay for Anonymizer Window Washer by Cash/Check/
Money Order, you will only be admitted to the download site following our
receipt of your payment.

Applicant assumes responsibility for lost cash payments sent via postal
mail.
----------------------------

(The context makes it clear that straight anonymized web 
access can be obtained via cash/money order as well.)

There are a number of other anonymizing services out there, 
all of which seem to have slightly different threat models, and 
none of which are 100% satisfactory.

The parties involved are

Bob, the user who wants to surf.
Fred, who runs the firewall Bob has to go through. Fred is also
         any observer undesired by Bob.
Webster, who runs the site Bob wants to see anonymously.
Alice, who runs the anonymizer.

Alice worries about:

1. Can Webster track a request back to Bob?
2. Can Fred see what URLs Bob is visiting?
3. Can Fred see what content those URLs send back?
4. Can Alice see what URLs Bob is visiting?
5. Can Alice see what content those URLs send back?
6. Can Fred tell that Bob is using Alice?

(I'm not going to get into cookies. Most anonymizers try to
do something semi intelligent with them).

Here are three: 

They all protect against Worry 1.

None protect against Worries 4 & 5, though if you could chain anonymizers,
you'd be partway there.

Some protect against Worries 2 and/or 3.

Only one partially protects against Worry 6.

-----
www.anonymizer.com

Free version anonymizes user to web site. 

Pay version claims to encrypt URLs so fire walls
can't log where you're visiting,. Does not encrypt content,
but premium service allows surfing through an SSH 
connection to protect content from snooping on it's way 
to and from www.anonymizer.com, so a firewall can't 
log you. This does require SSH ports to be usable.

Free version is slow.
-------

www.cotse.com
Free

Anonymizes user to website.
Does not encrypt data, but does encrypt URLs. Most
firewalls won't know what you're doing, unless they're
scanning content.

Slow.
---------

www.safeweb.com
Free.
Encrypts all data coming from website, but does not 
obscure URLs in requests.
Pretty fast. Lots of configurable
options for cookies, etc.

'Triangle Boy' option obscures to firewall that you are going
thru an anonymizer, but places your requests in the hands
of a P2P service running on unknown host(s) of undetermined
trustworthyness.

Safeweb apparently has the CIA as one of it's clients, which
gives some people pause.

--------------------

If Safeweb obscured URLs in a similar manner to COTSE, I'd
be pretty happy.

Peter Trei





More information about the cypherpunks-legacy mailing list