[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))



In message <[email protected]> "Timothy C. May" writes:
> Jim Dixon writes:
> (quoting Hal Finney)
> > > If this idea seems valid, it suggests that the real worth of a network of
> > > remailers is to try to assure that there are at least some honest ones
> > > in your path.  It's not to add security in terms of message mixing; a
> > > single remailer seems to really provide all that you need.
> > 
> > Yes, in an ideal world.  Each additional remailer introduces another
> > chance of being compromised.
> 
> No, I'm afraid you have this backwards. A remailer cannot introduce
> a chance of increase the chance of being compromised.

There are at least two models of remailer networks being kicked around.
In what I have called RemailerNet, if a gateway is compromised, then
some degree of traffic analysis is possible, and other parts of the
system become less secure.

Security increases when there are two remailers handling your traffic,
because then neither should know the identity of both sender and receiver.
Whether the addition of more intervening remailers increases the security
of the system in RemailerNet is a complex question.

In the second model of remailer networks, I also believe that using
more than two remailers and the random selection of remailers decreases
the security of the system if there is regular traffic between
correspondents.  To argue this at all, one would need a much clearer
model with all of the assumptions spelled out in detail.  For the
argument to be interesting, the model would have to be realistic.
My personal impression is that the second model is highly insecure
in cases where there is regular traffic between two parties and some
third party has significant resources.
--
Jim Dixon