Re: Making Remailers Widespread

["Mark M." <markm@voicenet.com>]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 27 Sep 1996, Bill Stewart wrote:

> I've been thinking about how to make one-way remailers a 
> widespread commodity, rather than the novelty item they are today.
> Doing two-way remailers would be better, but that's still a hard problem,
> and I don't want to widely deploy shoddy two-way-remailers.
> 
> Suppose we add form-based remailer support to a popular SSL-equipped
> HTTP server, such as Apache-SSL, by putting remailer.pl and a 
> remailer form in the default setup, which would deploy hundreds of remailers
> with minimal effort.  What would we have to do to make it work well,
> rather than turn into a public relations disaster and spam explosion?

In addition to all the points made below, security would be extremely important
for a remailer cgi script.  If security holes were found in the source code,
it might discourage many web admins from running the script even after the hole
is patched.

> 
> - The remailer script would have to add disclaimers at the beginning
> and/or end of the message reminding readers that the message is
> anonymous, and to contact the remailer cabal rather than the postmaster.
> 
> - Blocking becomes a big problem - it's annoying enough now,
> when there are a small number of remailers with hard-working operators;
> we'd need some sort of automated blocking support to make it
> usable by relatively non-involved operators
> 
> - A centralized block list (e.g. http://www.remailer.net/block.txt)
> which all of the form-based remailers could load and reference would
> allow non-picky operators not to have to handle it themselves
> 
> - Implementing the blocking list as a web form for people who
> want to be blocked would make it relatively painless to use;
> remailer-operators wouldn't have to transcribe email from the
> remailer-operators list to use it, which helps with other problems.

Since maintaining a block list is probably one of the most time-consuming tasks
involved with operating a remailer, it would be a Good Thing to add an option
to the remailer cgi program to operate as a "middleman" remailer.  This would
only require the remailer operator to add or remove entries from a list of
allowed destinations.  The operator wouldn't have to deal with disclaimers and
would only receive complaints from other operators if the remailer is
malfunctioning in some way.

[...]
> Technical question:
> - How do we initiate an http or https PUT from a script?
>         I assume there's probably some perl add-in for posting http/https?
>         Is there a command-line-shell interface that can fetch URLs?

I don't know if any perl modules or *.ph files exist that implement http/https.
Http should be pretty easy, but https would require SSL code.  I think there
are perl modules that contain crypto functions, so https could use the
functions provided in the module.  Netcat can be used pretty easily to fetch
URLs (e.g. echo "GET /foobar.html HTTP/1.0" | nc www.webserver.com 80).  This
will print out the HTML files and cooresponding MIME headers on stdout.

Mark
- -- 
PGP encrypted mail prefered.
Key fingerprint = d61734f2800486ae6f79bfeb70f95348
http://www.voicenet.com/~markm/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3
Charset: noconv

iQEVAwUBMk1apCzIPc7jvyFpAQGHbwgAvWQgQnZXov/u6ts2eVjbOfG0ogNpkhZa
GuZrX+hNoIJNTO+2aqeKIolnz+5rSz+80FH6iOhr96OftilFr4o7Qug2cS4zHijQ
9JBtvbZ6TljDRnogsc6LInbVz/doHr7vbQmCyFslAdo7uAd/cTK1C9X0cHKewepc
eLa1dv7qJWupcIIYy+KvhDAfGPjuhf7Q5fNYlfQlfKzdNk38ZkPEUyqLCypgQ8Hk
CH+wm5ne5EGvztnR7qgyt6XZk6CU3UQBQCfbLICIQMYdUzy/f7hCBmDjVxXXMNc7
iIAQyLG0c0BJNs4wNmFyREmnL7vbmMqwLAKvP9jk0XgRpXzY9K0cUA==
=uLlT
-----END PGP SIGNATURE-----