[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Making SURBs usable without mixminion

To: mixminion-dev@xxxxxxxxxxxxx
Subject: Making SURBs usable without mixminion
From: George Danezis <George.Danezis@xxxxxxxxxxxx>
Date: Fri, 01 Apr 2005 20:53:19 +0100
Cc: George.Danezis@xxxxxxxxxxxx
Delivered-to: archiver@seul.org
Delivered-to: mixminion-dev-outgoing@seul.org
Delivered-to: mixminion-dev@seul.org
Delivery-date: Fri, 01 Apr 2005 14:54:13 -0500
Reply-to: mixminion-dev@xxxxxxxxxxxxx
Sender: owner-mixminion-dev@xxxxxxxxxxxxx

Dear friends,

One of the stated aims of Mixminion is to allow people that do not benefit 
from it, not to have to install it to communicate with those who do. This is 
the case today for forward anonymous message, but is still not the case for 
replies. We have relied on a nym server infrastructure to appear, that has 
unfortunately not materialized yet (my fault partly).

Therefore here is a simple proposal for a mechanism that would allow SURBs to 
be used, even without the need to have a nym infrastructure, but just 
modifying current mixminion servers a bit. Like all problems in computer 
science this one can be solved using one level of indirection:

Anonymous Alice sends a message to Bob, that contains a set of SURBs, clearly 
marked as intended for replying to Alice (this will have to be machine 
parseable). A simple mixminion switch can let you specify how many of these 
are to be included (with default zero nothing changes).

When the last mixminion server in the path of the above message receives the 
message, and is about to send it out in the wild wild net as SMTP, it first 
parses the message and extracts all SURBs meant for replying, and sends them 
to the 'Entry server', under a specific index. It then substitutes the 
reply-to address to be the index@xxxxxxxxxxxxxxxxxxxxx Note that the SURBs can 
also be passed on, just in case a Mixminion enabled client is at the other end.

This way when Bob clicks on reply he send email to the 'Entry server', that 
uses the SURBs to anonymously route the message. This Entry server can also do 
its housekeeping since each SURB has an expiry date etc, so it should not run 
out of space! There is also no need what so ever to have a single Entry 
server, and a subset of mixminion servers can take on this role (or even all 
of them if they can have port 25 open -- harsh).

As mentioned before the main issue is that 'Entry servers' will have to be 
listening to port 25 for incoming mail, but also mixminion will have to 
transmit the id and SURBs to them in some way.

From a security point of view I do not think this makes mixminion much more 
vulnerable than it is now (I actually think it is exactly the same -- but feel 
free to prove me wrong). Since SURBs from across messages are not linked 
together in any way intersection or tracing attacks are not made easier than 
in the current scheme. Integrity can suffer, but we already do not guarantee 
it ... Entry servers do not send any emails out on the Internet so little 
abuse complaining can be expected for the operators.

Have I missed something?

George

Next by Author: Preprocessing cipher input for plausible deniability in human communications
Previous by thread: Re: Mixminion queue problem
Next by thread: Preprocessing cipher input for plausible deniability in human communications
Index(es):
- Author
- Thread