[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: remailers, mail technology
>>>Why would anyone set up a remailer at Lance's (or Sameer's) machine?
>>>They have remailers running already. If the thugs break root and obtain
>>>one remailer key from a machine, they probably get all the keys on that
>>>machine, compromising all the remailers in one single attack. Or am I
>>>missing something? Is there any benefit of multiple remailers on a machine
>>>where root is running his own remailer?
There are multiple threats that remailers have to face; multiple remailers
on one machine are jointly vulnerable to some of them, but separately
vulnerable to others. If there are keys stored in plaintext on a machine,
then root-breakers can steal them (unless it's running a multi-level secure
operating system that can prevent that, if physical security is maintained.)
Thugs confiscating the hardware or trashing the OS obviously break all the
remailers at once, though that's only denial of service and not compromise.
Offline remailers using POP, UUCP, or other mail forwarding also don't risk
compromise (if they only accept encrypted messages), because they don't
keep keys or perform encryption on the ISP's server. For all of these cases,
the remailer-positive ISP provides a certain amount of flak catching,
but can also avoid much of it because _he_ isn't running the remailer -
his customers are, and if the remailer gets abused, maybe they'll have
to become ex-customers. That's especially effective for ISPs that support
customers with their own DNS names - foobar.com is owned by someone other than
Sameer, and if Sameer has to squash them, maybe they start getting hosted
by Lance instead, or by AOL, or by YAISP.SF.CA.US.
Telnet-only shell account providers probably get a little less deniability than
dial-only IP+POP providers or especially dial-only IP-only providers.
(On the other hand, the fact that Sameer's systems are telnet-only means
that users can be spread around to other dial-IP providers, including
all those 10-hour AOLers he just has to keep squashing :-), while if he
had dial-up users the thugs might go for telephone records.
====
What kind of technical infrastructure would help run remailers in environments
like this? I can think of three things
- Encrypted IP sessions (either IPv6, if it ever gets deployed, or swIPe)
- Encrypted POP and SMTP client/server interactions.
- User-based encrypted communications (SSH? SSL?) relaying POP/SMTP.
If we're going to get convenient wide deployment before the millenium brings
IPv6,
the approach will either need to run on shell(-like) accounts only,
or else will need to piggyback on SSL. Either way, rather than get everyone
to replace POP3 with CryptoPOP (they haven't even done IMAP), it'll probably
take some kind of relay that sits on your desktop machine, speaking
POP3-server on one side and CryptoPOP on the other. And you'd have to
handle firewalls.
Is there any way to get Netscape to implement something like pop3: and smtp:
services for the client software (or do them as plug-ins)? Adding them to
a server (i.e.. Apache-SSL) would allow SSL to do the crypto, and would
mean you could use https: proxies to handle firewalls, since everybody's
got to deal with them anyway.
# Thanks; Bill
# Bill Stewart, [email protected], +1-415-442-2215
# goodtimes signature virus innoculation