[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

reader anonymity (Re: [freehaven-dev] eternity USENET comparison)

dmolnar wrote:
> > > - Eternity USENET actually provides pretty aggressive
> > > Reader Anonymity: consider how hard it would be to track
> > > down which internet users read a given alt newsgroup post.
> >
> > I don't need to be able to tell who's reading it to violate reader
> > anonymity; I just need to be able to, given two people one of whom is
> > a reader, pick the reader substantially more than half the time.  That
> > is, I just need to be able to tell if Bob is a reader, given some Bob.
> 
> The moral of the story seems to be that we need to break down "reader
> anonymity" and "reader" some more. There seem to be several different
> notions lurking here.

Yup.  I was about to reply that it depends what type of reader 
anonymity one is considering.

For reader anonymity there are a whole bunch of attacks which an
attacker might want to execute:

(1) document readership - determine readers of given document
(2) confirm reader suspicion - confirm suspicions about whether a 
given internet user read a given document
(3) user base - get a list of users of the service
(4) confirm use - confirm suspicions about whether a given internet 
user uses the service

Brian seemed to focus on confirming readers of the document.  
Depending on the software configuration, and how powerful the 
attacker is, eternity USENET can defend against all of those 
criteria.

There are a number of different configurations of the eternity USENET 
software:

(a) users of public proxies (proxy running SSL, local newspool)
(b) users of public proxies (proxy not running SSL, remote newserver)
(c) users of local proxy client (local newspool, or local newsserver)
(d) users of local proxy client (remote newsserver)

Attack (1) finding document readership requires host compromise
for config (c), and is expensive for (d), but relatively cheap for (b), 
and not that hard for (a), as SSL doesn't hide response size.

Attack (2) confirm reader suspicion means first doing attack (4), 
which itself may require host compromise in config (c), but otherwise 
is relatively easy to achieve by monitoring the targetted users
connections.

Defending against (3) finding user base is pretty hard to protect 
against without a prexisting massively distributed anonymous 
broadcast channel, and I don't  think any other currently fielded 
or proposed systems other than Eternity USENET stand a chance of 
doing this.  This is why I say Eternity USENET provides strong 
reader anonymity.

Eternity USENET achieves this for the proportion of users using 
configuration (c).  There are probably 100s of thousands to 
millions of users with the existing network infrastructure to be 
config (c) users.  The resources required to obtain an exhaustive 
list of users (3) for  users using configuration (c) are massive 
compared to other systems with fielded nodes in the low tens or 
hundreds.

The success of attack (4) against config (c) depends on whether
the attacker can compromise host security.  For other configs
is relatively easy.

Adam