[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cfs & remailers



On Wed, 17 Aug 1994 16:42:33 -0500 (EST)  Jim Hart wrote:
--------
> 
> > The people whose security would be helped are those who do a single hop or 
> > send unencrypted mail through the remailer.  People who use the remailer
> > properly already have encrypted their mail.
> 
> But they'd still be in your logs, unless you immediately delete
> or encrypt your logs.    If you keep logs to help debug your
> system snoop-proofing those logs is a good idea.

I skipped a step in giving my assumptions.  By "people who use the remailer
properly" I mean people who encrypt AND chain through multiple remailers.

In that case, even if I were to keep logs, all that anyone would know from
a message is that a particular user used a remailer, or that a particular
cleartext message had a certain remailer as its jumpoff point.  Not both.
(Unless, of course, I'm in collusion with other remailer operators.  But that's
also a non-code issue.)

I'm not interested/concerned with preserving the security of the people who
don't chain and encrypt.

> 
> Also CFSing mail spools just for regular e-mail is a good idea,
> to help enforce the ECPA.   I hope this becomes standard policy
> on the Internet.

That's an interesting and valid point.  I can see some sense in an
encrypted file system for mail spools, just to highlight a philosophical
point or to help create a new net-wide philosophy for the handling of email.
I'm not sure that security is improved, however.

I half-expect Eric or Tim to jump in here to point out that this is one
of those situations where you have to define who your enemy is, and to make
sure that your efforts apply to the situation.

My personal situation is, I run a remailer on a home Unix machine via a 
phone line UUCP feed.  I am the only user of this machine, so I do not
have to defend against users with local access.  My efforts are intended to
block the following foes: my service provider and any node upstream of it,
thieves/misguided law enforcement types, and phone taps.  Encrypting something
that I receive in the clear over an insecure line isn't useful.

Of course, this is very specific to my situation.  I expect that there exists
sites where running CFS for the spools makes sense.  The fact that Matt Blaze
has said he has put some effort into making that possible just reinforces that.

This conversation is making me think that I should follow some other remailers
and make the remailer at rebma only allow encrypted traffic, since I have such
a low-opinion of unencrypted traffic.

Now, when we're all running our mail traffic over something like swIPe, such
that all connections are encrypted...  And if I got an encrypted UUCP
connection...  That might change things.

Then again, if you want security, encrypt it and chain remailers, regardless.

Sorry.  I'm rambling.  I won't dignify it by calling it "brainstorming."....

-Bill