So I was sitting in the bath this-morning and I think I may have the
beginnings of an idea about how to address this issue which borrows
slightly from Brandon's proposal, but shouldn't break network topology -
it isn't perfect, but it may be enough.
Let's say, on the introduction of public/private key inter-node comms, a
node address looks like ptcp/x.x.x.x:yy/PUBKEYPUBKEY
What if we define a new address type, called a "Shadow Address", which
looks like this:
stcp/x.x.x.x:yy/PUBKEYPUBKEY/CYPHERTEXTCYPHERTEXT
Where the cypertext is a node address (with some added random salt to
thwart traffic analysis) encrypted using the public key. When a node
wishes to send a message to a ShadowAddress they must forward it to the
node at x.x.x.x:yy which will decrypt it and forward it to the decrypted
address.
This means that if you fear for your anonymity, you can choose one or more
"shield nodes" which you can hide behind in this manner, and use that
address whenever you set the DataSource field in a message. The more
shield nodes the better, but you are fucked as soon as you choose a
compromised shield node, or one of your shield nodes is compromised and
you keep using it. You may also want to reject incoming connections from
non-shield nodes. You may also want to avoid sending messages to
non-shield nodes if you wish to be ultra paranoid (although not doing this
will increase the performance of your node).
Of course, if everybody ran a shadow node, it wouldn't work too well,
however the idea is that only people who really need to (such as those who
have been warned by their ISP, or who are in a totalitarian state) would
actually take this precaution.
Like I said, not perfect, but perhaps a start.
Ian.
PGP signature
