Major German Anonymity Service compromised

Thu Aug 21 14:05:07 PDT 2003

A number of cypherpunks have asked me about the current JAP situation.
Here's the scoop, as I know it. (I've sent mail to some of the Dresden
folks, but haven't heard back yet.)

This thread on Usenet contains the pertinent information:

http://groups.google.com/groups?selm=f938f87a44e64d6776c635b979aa1c48%40remailer.frell.eu.org&oe=UTF-8&output=gplain

The Java Anonymous Proxy is a real-time web mix system, (originally)
designed to provide web browsing anonymity that couldn't be undermined by
any one proxy operator. Well, no more. The JAP authors silently introduced
a back-channel intended to compromise anonymity of users accessing certain
sites, under the guise of an "obligatory update".

They claim 30,000 total users. That's a large amount of people who are
being lied to about their anonymity. (The JAP website, as of this morning,
was still stating:

"Since many users use these intermediaries at the same time, the internet
connection of any one single user is hidden among the connections of all
the other users.  No one, not anyone from outside, not any of the other
users, not even the provider of the intermediary service can determine
which connection belongs to which user."

Which would be true if not for the backchannel.)

JAP's webpage: http://anon.inf.tu-dresden.de/index_en.html

The JAP operators justify their actions (which were taken to comply with
German law) by stating that their alternative was to shut the system down.
There are a number of problems with this, the first being that anonymity
systems which are contingent upon selective government approval for
anonymity are ill-suited to a global Internet environment: What makes a
court order from Germany, or England, or the US any more valid than a
court order from another net-connected UN member, like China, or France?
If we believe privacy and anonymity to be human rights, then we cannot
build these sort of backdoors into the system and expect them not to be
abused.

Compare the JAP operator's actions with those of Julf Helsingius, operator
of anon.penet.fi (the famous anonymous remailer/pseudonym server):

http://www.penet.fi/press-english.html

Julf closed down his system, which was inherently vulnerable to subpoena
attacks since it stored nym to user mapping information, when he realized
he could be forced to reveal any user's identity by almost any entity
willing to abuse the global legal systems.

Time has shown that was the right choice. Cypherpunk and Mixmaster
remailers, already developed and deployed by this time, rose up in penet's
place, and at this point it would be impossible for anyone to effectively
compromise a user's identity via court order. (There are Mixmaster nodes
operating in almost a dozen countries, and the system is truly designed to
defeat rogue operators.) With the next-generation of remailers on the
horizon (Mixminion and Mixmaster 4.0), ease of use should near that of
Penet. Unfortunately, these are email solutions, and don't address the web
browsing issue that JAP attempted to solve.

Bad anonymity systems are worse than no anonymity systems. JAP has become
a bad anonymity system -- mainly because it represents itself as being far
stronger and more secure than it is.

I am unclear on the JAP source code license. Perhaps it is possible to
restore the code to the uncompromised version, and erect a parallel,
trusted JAP network -- though the damage to its reputation is certainly
severe. This goes to demonstrate again that crypto isn't the only
consideration in an anonymity system: Anonymizer, for instance, is still a
better choice for web anonymity than JAP, even though JAP offered mixing
and independent operators. An anonymity provider should never represent
itself as offering a greater level of protection than is actually offered
-- which is the worst thing that the JAP team did (and is still doing.)

--Len.