[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Beware of anon.penet.fi message!



-----BEGIN PGP SIGNED MESSAGE-----

David,

> As was said, the doubleblind system is a great idea, but incomplete
> if you want to correspond to someone without revealing your anon id.

Well, I don't agree that doubleblind is a great idea.

For example, if at any time, Alice sends pseudonymously to Bob, Bob can
not reply directly: this would expose his identity at anon.penet.fi.
Bob must reply through a remailer.

Note the irony -- Bob must take special steps to protect his pseudonym
because anon.penet.fi is acting affirmatively to conceal his actual
identity.  If Bob slips up and simply replies, he is exposed.

Hal,

> (It's interesting that he also sent his message via one of the Cypherpunks
> remailers.  Maybe he thought they worked like the Penet remailer and
> he could break anonymity on those as well.)

Actually, I don't know why my message went through a Cypherpunks
remailer -- I didn't ask it to.  I don't know of any weaknesses in
the Cypherpunks remailers (other than extreme vulnerability to social
engineering).

> Evidentally there is positive harm that can occur by automatically
> anonymizing all messages which pass through a remailer.  ... For
> anonymous posting and for mail to a non-anonymous address, it's more
> reasonable to assume that anonymization is desired.  ... But when
> sending a message to an anonymous address, it's not known whether the
> sender wants to be anonymized or not.

I think it's imperative that the sender use X-Anon-To to be
pseudonymous.  This is consistent with the principle of least
astonishment.

> It might seem that people should just be careful about what they
> send through Penet, but there are some problems with this.  What do
> you do if you get a message from [email protected] asking for
> advice on cryptography mailing lists?  If you reply, your questioner
> can figure out who the reply is coming from, and sees your Penet
> alias.  There is no way to prevent this from happening currently.

A Cypherpunks remailer can be used to conceal the correspondent's
pseudonymous identity.

> Also, I have seen proposals that anonymous ID's should be made less
> recognizable, so that instead of [email protected] we would have
> [email protected].  In such a situation it might be tedious to
> scrutinize every email address we send to (via replies, for example)
> to make sure it isn't a remailer where you have an anonymous ID.

It would be a real boon to make pseudonyms less prominent -- this
seems to have kicked over a hornet's nest on USENET (even though
pseudonyms have been quietly in use for years).  But were this the
case, scrutiny would be an understatement.

> All in all, I think some changes need to be made in how anonymous
> addresses are used and implemented in order to provide reasonable
> amounts of security.

I agree that more discussion is in order.  I'm especially concerned 
about the broader issues regarding anonymity through remailers.

DEADBEAT

-----BEGIN PGP SIGNATURE-----
Version: 2.1

iQBFAgUBK4mrrvFZTpBW/B35AQE+PQGAh69FcaATFD05lIuhqqK8ZMmV+8xNi/LN
7kxDSgFgB9J/A9rRgAL6S1Ux2ojU4opP
=RGlc
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
To find out more about the anon service, send mail to [email protected].
Due to the double-blind system, any replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to [email protected].
*IMPORTANT server security update*, mail to [email protected] for details.