Re: [Cryptography] prism proof email, namespaces, and anonymity
John Kelsey writes:
> In the overwhelming majority of cases, I know and want to know the
> people I'm talking with. I just don't want to contents of those
> conversations or the names of people I'm talking with to be revealed
> to eavesdroppers. And if I get an email from one of my regular
> correspondents, I'd like to know it came from him, rather than being
> spoofed from someone else.
That's a good description of stealthmail [1]. My only regret is that it
badly needs an update and I don't have time these days to work on it.
But it still works out of the box. Here's the Debian description:
Package: stealthmail
Architecture: all
Pre-Depends: gnupg
Depends: procmail, esubbf, openssl, dc, libssl0.9.6 | libssl0.9.7,
fetchmail | kmail, suck, ppp, solid-pop3d, exim | exim4, dpkg (>= 1.10.21),
grep (>= 2.5), bash (>= 2.05b), ${shlibs:Depends}, ${misc:Depends}
Description: scripts to hide whether you're doing email, or when, or with whom
Maintain on-going random cover traffic via usenet newsgroup
alt.anonymous.messages, substituting encrypted live traffic when
available. A live message is indistinguishable from a random cover
message except with the decryption keys. All potential participants
send messages to alt.anonymous.messages with rigid periodicity
uncorrelated with any live traffic, and maintain an uninterrupted
full feed from alt.anonymous.messages, so that an observer cannot
determine whether, when, or among whom live communication is
happening.
.
Members of a "stealthmail group" -- call it "OurGroup" for purposes
of this discussion -- are defined by their knowledge of the
encryption keys created for the group. With this package installed,
mail addressed to OurGroup@stealthmail does not go directly to the
Internet like ordinary mail, but gets encrypted by the OurGroup key,
given an encrypted subject intelligible only with OurGroup keys, and
queued to go to alt.anonymous.messages in place of a piece of cover
traffic at the next scheduled sending time. Meanwhile, all messages
appearing on alt.anonymous.messages are downloaded into an incoming
queue. A POP3 server runs on the local host. The mail reader is
provided with filters so that when it fetches mail from this local
server, messages having subject lines encrypted for OurGroup (or any
other stealthmail group of which this host is a member) are decrypted
by the appropriate key and presented. Other messages are discarded.
[1] See mailto URL below.
--
-- StealthMonger
Long, random latency is part of the price of Internet anonymity.
anonget: Is this anonymous browsing, or what?
http://groups.google.ws/group/alt.privacy.anon-server/msg/073f34abb668df33?dmode=source&output=gplain
stealthmail: Hide whether you're doing email, or when, or with whom.
mailto:stealthsu...@nym.mixmin.net?subject=send%20index.html
Key: mailto:stealthsu...@nym.mixmin.net?subject=send%20stealthmonger-key
pgpqkHhnE3m__.pgp
Description: PGP signature
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] prism proof email, namespaces, and anonymity
On Sep 15, 2013, at 7:47 AM, Adam Back wrote: > Another design permutation I was thinking could be rather interesting is > unobservable mail. That is to say the participants know who they are > talking to (signed, non-pseudonymous) but passive observers do not. It > seems to me that in that circumstance you have more design leverage to > increase the security margin using PIR like tricks than you can with > pseudonymous/anonymous - if the "contract" is that the system remains very > secure so long as both parties to a communication channel want it to remain > that way. This seems like the main way most people would want PPE to work--like email they have now, but much more secure and resistant to abuse. In the overwhelming majority of cases, I know and want to know the people I'm talking with. I just don't want to contents of those conversations or the names of people I'm talking with to be revealed to eavesdroppers. And if I get an email from one of my regular correspondents, I'd like to know it came from him, rather than being spoofed from someone else. For most people, I'm pretty sure the security problems with email are centered around the problem of getting unwanted communication from people you don't want to hear from, some of which may manage install malware on your computer, others of which want to waste your time with scam ads, etc. A PPE scheme that solves that problem can get a lot more users than one that doesn't, and may even eventually take over from the current kind of email. > Adam --John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] prism proof email, namespaces, and anonymity
On Fri, Sep 13, 2013 at 04:55:05PM -0400, John Kelsey wrote: The more I think about it, the more important it seems that any anonymous email like communications system *not* include people who don't want to be part of it, and have lots of defenses to prevent its anonymous communications from becoming a nightmare for its participants. Well you could certainly allow people to opt-in to receiving anonymous email, send them a notification mail saying an anonymous email is waiting for them (and whatever warning that it could be a nastygram, as easily as the next thing). People have to bear in mind that email itself is not authenticated - SMTP forgeries still work - but there are still a large number of newbies some of whom have sufficiently thin skin to go ballistic when they realize they received something anonymous and not internalized the implication of digital free-speech. At ZKS we had a pseudonymous email system. Users had to pay for nyms (a pack of 5 paid per year) so they wouldnt throw them away on nuisance pranks too lightly. They could be blocked if credible abuse complaint were received. Another design permutation I was thinking could be rather interesting is unobservable mail. That is to say the participants know who they are talking to (signed, non-pseudonymous) but passive observers do not. It seems to me that in that circumstance you have more design leverage to increase the security margin using PIR like tricks than you can with pseudonymous/anonymous - if the "contract" is that the system remains very secure so long as both parties to a communication channel want it to remain that way. There were also a few protocols for to facilitate anonymous abuse resistant emails - user gets some kind of anonymously refreshable egress capability token. If they abuse they are not identified but lose the capability. eg http://www-users.cs.umn.edu/~hopper/faust-wpes.pdf Finally there can be different types of costs for nyms and posts - creating nyms or individual posts can cost real money (hard to retain pseudonymity), bitcoin, or hashcash, as well lost reputation if a used nym is canceled. Adam ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] prism proof email, namespaces, and anonymity
On Fri, Sep 13, 2013 at 10:12 PM, Perry E. Metzger wrote: > On Fri, 13 Sep 2013 16:55:05 -0400 John Kelsey > wrote: > > Everyone, > > > > The more I think about it, the more important it seems that any > > anonymous email like communications system *not* include people who > > don't want to be part of it, and have lots of defenses to prevent > > its anonymous communications from becoming a nightmare for its > > participants. If the goal is to make PRISM stop working and make > > the email part of the internet go dark for spies (which definitely > > includes a lot more than just US spies!), then this system has to > > be something that lots of people will want to use. > > > > There should be multiple defenses against spam and phishing and > > other nasty things being sent in this system, with enough > > designed-in flexibility to deal with changes in attacker behavior > > over tome. > > Indeed. As I said in the message I just pointed Nico at: > http://www.metzdowd.com/pipermail/cryptography/2013-August/016874.html > > Quoting myself: > >Spam might be a terrible, terrible problem in such a network since >it could not easily be traced to a sender and thus not easily >blocked, but there's an obvious solution to that. I've been using >Jabber, Facebook and other services where all or essentially all >communications require a bi-directional decision to enable messages >for years now, and there is virtually no spam in such systems >because of it. So, require such bi-directional "friending" within >our postulated new messaging network -- authentication is handled >by the public keys of course. > The keys. This to me is the critical point for widespread adoption, key management. How do you do this in a way that doesn't put people off immediately. There are two new efforts I'm aware if trying to solve this in a user friendly way are https://parley.co/#how-it-works and http://mailpile.is. Parley's approach does at least deal with the longevity of the private key although it does boil security down to a password, if I can obtain their packet and the salt I can probably brute force the password. I've exchanged mails with the mailpile.is guys and I think they're still looking at the options. Max ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] prism proof email, namespaces, and anonymity
On Fri, 13 Sep 2013 16:55:05 -0400 John Kelsey wrote: > Everyone, > > The more I think about it, the more important it seems that any > anonymous email like communications system *not* include people who > don't want to be part of it, and have lots of defenses to prevent > its anonymous communications from becoming a nightmare for its > participants. If the goal is to make PRISM stop working and make > the email part of the internet go dark for spies (which definitely > includes a lot more than just US spies!), then this system has to > be something that lots of people will want to use. > > There should be multiple defenses against spam and phishing and > other nasty things being sent in this system, with enough > designed-in flexibility to deal with changes in attacker behavior > over tome. Indeed. As I said in the message I just pointed Nico at: http://www.metzdowd.com/pipermail/cryptography/2013-August/016874.html Quoting myself: Spam might be a terrible, terrible problem in such a network since it could not easily be traced to a sender and thus not easily blocked, but there's an obvious solution to that. I've been using Jabber, Facebook and other services where all or essentially all communications require a bi-directional decision to enable messages for years now, and there is virtually no spam in such systems because of it. So, require such bi-directional "friending" within our postulated new messaging network -- authentication is handled by the public keys of course. > Some thoughts off the top of my head. Note that while I think all > these can be done with crypto somehow, I am not thinking of how to > do them yet, except in very general terms. > > a. You can't freely send messages to me unless you're on my > whitelist. That's my solution. As I note, it seems to work for Jabber, Facebook and other such systems, so it may be sufficient. > b. This means an additional step of sending me a request to be > added to your whitelist. This needs to be costly in something the > sender cares about--money, processing power, reputation, solving a > captcha, rate-limits to these requests, whatever. I'm not sure about that. Jabber doesn't really rate limit the number of friend requests I get per second but I don't seem to get terribly many, perhaps because fakes at most could hide some attempted phish in a user@domain name, which isn't very useful to scammers. > g. The format of messages needs to be restricted to block malware, > both the kind that wants to take over your machine and the kind > that wants to help the attacker track you down. Plain text email > only? Some richer format to allow foreign language support? My claim that I make in my three messages from August 25 is that it is probably best if we stick to existing formats so that we can re-use existing clients. My idea was that you still talk IMAP and SMTP and Jabber to a server you control (a $40 box you get at Best Buy or the like) using existing mail and chat clients, but that past your server everything runs the new protocols. In addition to the message I linked to above, see also: http://www.metzdowd.com/pipermail/cryptography/2013-August/016870.html http://www.metzdowd.com/pipermail/cryptography/2013-August/016872.html for my wider proposals. I agree this makes email delivered malware continue to be a bit of a problem, though you could only get it from your friends. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] prism proof email, namespaces, and anonymity
Everyone, The more I think about it, the more important it seems that any anonymous email like communications system *not* include people who don't want to be part of it, and have lots of defenses to prevent its anonymous communications from becoming a nightmare for its participants. If the goal is to make PRISM stop working and make the email part of the internet go dark for spies (which definitely includes a lot more than just US spies!), then this system has to be something that lots of people will want to use. There should be multiple defenses against spam and phishing and other nasty things being sent in this system, with enough designed-in flexibility to deal with changes in attacker behavior over tome. If someone can send participants in the system endless spam or credible death threats, then few people are going to want to participate, and that diminishes the privacy of everyone remaining in the system, along with just making the system a blight in general. If nonparticipants start getting spam from the system, it will either be shunned or shut down, and at any rate won't have the kind of reputation that will move a lot of people onto the system. An ironclad anonymous email system with 10,000 users is a whole lot less privacy-preserving than one with 10,000,000 users. As revelations of more and more eavesdropping come out, we might actually see millions of users want to have something really secure and anonymous, but not if it's widely seen as a firehose o' spam. A lot of the tools we use on the net everyday suffer from having been designed without thinking very far ahead into how they might be exploited or misused--hence spam, malware in PDF files, browser hijacking sorts of attacks, etc. My thought is that we should be thinking of multiple independent defenses against spamming and malware and all the rest, because parasites adapt to their environment. We can't count on "and then you go to jail" as a final step in any protocol, and we can't count on having some friendly utility read millions of peoples' mail to filter the spam if we want this to be secure. So what can we count on to stop spam and malware and other nastiness? Some thoughts off the top of my head. Note that while I think all these can be done with crypto somehow, I am not thinking of how to do them yet, except in very general terms. a. You can't freely send messages to me unless you're on my whitelist. b. This means an additional step of sending me a request to be added to your whitelist. This needs to be costly in something the sender cares about--money, processing power, reputation, solving a captcha, rate-limits to these requests, whatever. (What if the system somehow limited you to only, say, five outstanding requests at a time?). c. Make account creation costly somehow (processing, money, solving a captcha, whatever). Or maybe make creating a receive-only account cheap but make it costly to have an account that can request to communicate with strangers. d. Make sending a message in general cost something. Let receiver addresses indicate what proof of payment of the desired cost they require to accept emails. e. Enable some kind of reputation tracking for senders? I'm not sure if this would work or be a good idea, but it's worth thinking about. f. All this needs to be made flexible, so that as attackers evolve, so can defenses. Ideally, my ppe (prism proof email) address would carry an indication of what proofs your request to communicate needed to carry in order for me to consider it. g. The format of messages needs to be restricted to block malware, both the kind that wants to take over your machine and the kind that wants to help the attacker track you down. Plain text email only? Some richer format to allow foreign language support? h. Attachments should become links to files in an anonymizing cloud storage system. Among other things, this will make it easier to limit the size of the emails in the system, which is important for ensuring anonymity without breaking stuff. What else? I see this as the defining thing that can kill an anonymous encrypted communications system--it can become a swamp of spam and malware and nutcases stalking people, and then nobody sensible will want to come within a hundred meters of it. Alternatively, if users are *more* in control of who contacts them in the prism-proof scheme than with the current kind of email, we can get a lot more people joining. Comments? --John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
