[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
reader anonymity (Re: [freehaven-dev] eternity USENET comparison)
> > > - Eternity USENET actually provides pretty aggressive
> > > Reader Anonymity: consider how hard it would be to track
> > > down which internet users read a given alt newsgroup post.
> > I don't need to be able to tell who's reading it to violate reader
> > anonymity; I just need to be able to, given two people one of whom is
> > a reader, pick the reader substantially more than half the time. That
> > is, I just need to be able to tell if Bob is a reader, given some Bob.
> The moral of the story seems to be that we need to break down "reader
> anonymity" and "reader" some more. There seem to be several different
> notions lurking here.
Yup. I was about to reply that it depends what type of reader
anonymity one is considering.
For reader anonymity there are a whole bunch of attacks which an
attacker might want to execute:
(1) document readership - determine readers of given document
(2) confirm reader suspicion - confirm suspicions about whether a
given internet user read a given document
(3) user base - get a list of users of the service
(4) confirm use - confirm suspicions about whether a given internet
user uses the service
Brian seemed to focus on confirming readers of the document.
Depending on the software configuration, and how powerful the
attacker is, eternity USENET can defend against all of those
There are a number of different configurations of the eternity USENET
(a) users of public proxies (proxy running SSL, local newspool)
(b) users of public proxies (proxy not running SSL, remote newserver)
(c) users of local proxy client (local newspool, or local newsserver)
(d) users of local proxy client (remote newsserver)
Attack (1) finding document readership requires host compromise
for config (c), and is expensive for (d), but relatively cheap for (b),
and not that hard for (a), as SSL doesn't hide response size.
Attack (2) confirm reader suspicion means first doing attack (4),
which itself may require host compromise in config (c), but otherwise
is relatively easy to achieve by monitoring the targetted users
Defending against (3) finding user base is pretty hard to protect
against without a prexisting massively distributed anonymous
broadcast channel, and I don't think any other currently fielded
or proposed systems other than Eternity USENET stand a chance of
doing this. This is why I say Eternity USENET provides strong
Eternity USENET achieves this for the proportion of users using
configuration (c). There are probably 100s of thousands to
millions of users with the existing network infrastructure to be
config (c) users. The resources required to obtain an exhaustive
list of users (3) for users using configuration (c) are massive
compared to other systems with fielded nodes in the low tens or
The success of attack (4) against config (c) depends on whether
the attacker can compromise host security. For other configs
is relatively easy.