if you use the same final remailer for every post?
since the remailer cannot determine the true identity
of the poster what difference would it make, apart
from the remop assuming that it's the same person.

[ Post a follow-up to this message ]

On Sun, 29 Jul 2007 17:38:24 +0100 (BST), nobody@mixmin.net wrote:

> if you use the same final remailer for every post?
> since the remailer cannot determine the true identity
> of the poster what difference would it make, apart
> from the remop assuming that it's the same person.

No difference at all. I use banana as the last remailer for NG posting with
Omnimix and QS all the time.

Just as an aside, how would the remop assume it's the same person? If they
did it would not be truly anonymous, would it?

[ Post a follow-up to this message ]

Father Mike wrote:

> On Sun, 29 Jul 2007 17:38:24 +0100 (BST), nobody@mixmin.net wrote:
> 
>
> No difference at all. I use banana as the last remailer for NG
> posting with Omnimix and QS all the time.

"I haven't noticed any compromise, so it must be safe".

Idiot.

>
> Just as an aside, how would the remop assume it's the same person? If
> they did it would not be truly anonymous, would it?

If you're using the same exit node for every message an attacker
already has half of their problem solved for them. They have a common
denominator for all your anonymous messages. At that point figuring out
your true identity becomes a simple matter of replaying a volume of
messages and watching to see when those particular messages appear at
the other end. When that correlation is made, you are owned. And this
is somethign that can be easily accomplished by an evil entry node, or
any observer between you and *any* entry node.

[ Post a follow-up to this message ]

nobody@mixmin.net wrote:

> if you use the same final remailer for every post?
> since the remailer cannot determine the true identity
> of the poster what difference would it make, apart
> from the remop assuming that it's the same person.
>

Yes, it absolutely makes a difference. If you're habitually using a
single exit node you've removed about half of the protection a random
chain of remailers provides. You've left yourself completely open to a
compromised entry note being used to attacks your anonymity by way of
traffic analysis.

[ Post a follow-up to this message ]

On Mon, 30 Jul 2007 02:55:25 +0200 (CEST), Anonymous wrote in
Message-Id: <794984c078bdf08c46d00d8119be7d55@ecn.org>:

> If you're using the same exit node for every message an attacker
> already has half of their problem solved for them. They have a common
> denominator for all your anonymous messages. At that point figuring out
> your true identity becomes a simple matter of replaying a volume of
> messages and watching to see when those particular messages appear at
> the other end. When that correlation is made, you are owned. And this
> is somethign that can be easily accomplished by an evil entry node, or
> any observer between you and *any* entry node.

I don't entirely agree with this.  Mixmaster messages cannot be replayed
due to protection within the protocol.  If the originator posted lots of
messages then I suppose he is slightly partitioned as each post results
in something coming out of Banana.  Then again if he always posted to
the same newsgroup, this would be true regardless of which exit was
used.

Maybe I'm missing something.  Wouldn't be the first time.  

--
pub  1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE  EBB4 94A6 7A09 8ED5 7743
uid                            Admin <admin.bananasplit.info>

[ Post a follow-up to this message ]

Anonymous <cripto@ecn.org> wrote:

>Father Mike wrote:
> 
>
>"I haven't noticed any compromise, so it must be safe".
>
>Idiot.

Pompous XXX.
 
>
>If you're using the same exit node for every message an attacker
>already has half of their problem solved for them. They have a common
>denominator for all your anonymous messages. At that point figuring out
>your true identity becomes a simple matter of replaying a volume of
>messages and watching to see when those particular messages appear at
>the other end. When that correlation is made, you are owned. And this
>is somethign that can be easily accomplished by an evil entry node, or
>any observer between you and *any* entry node.

That's unproven phantasy of an uninformed nitwit.

Type II remailers aren't susceptible to replay attacks. And if you
make a habit of producing dummy traffic, select chains of variable
length or vary overall latency otherwise even the correlation of real
messages to some remailer output doesn't offer relevant data.
.

[ Post a follow-up to this message ]

Anonymous wrote:
 
>
> That's unproven phantasy of an uninformed nitwit.
>
> Type II remailers aren't susceptible to replay attacks.

Yeahright! That's why Mixminion implemented rotating keys, message
expiration, and message hashing rather than unique "dog tags". Because
Mixmaster is so impervious to replay attacks.

<laughing>

Ironically, part of Mixmaster's resistance to replay attacks IS that
rotating exit node policy. The measures you're referring to expire
after a time and messages can, and ARE replayed through the network.
The fact that these messages decrypt precisely the same as the
original aside, if you're building chains with consistent exit nodes
your messages stand out with statistical significance to anyone
replaying messages in bulk. Mixminion addresses this known weakness by
keeping a hash of every processed message _until keys are rotated_ at
which time it becomes a moot issue because replayed messages can't be
processed anyway.

Here's what Roger Dingledine himself has to say about it in case you're
still confused.

"We can't afford to let even a single message be replayed. It isn't
just that an adversary can flood a mix with the same message and watch
where the flood goes. The problem is that if the adversary watches the
input and output batches of a mix, and then comes back a month later
(after the replay cache has expired) and replays a message, then *the
message's decryption will be exactly the same*.

Bye-bye forward anonymity."

Oh, and by the way, even Mixminion isn't impervious to replay attacks
because there's a "window of opportunity" around key rotation time
where some messages are encrypted with old keys and some with new keys.
It's made more difficult for an attacker, but it's still an imperfect
compromise between security and loosing mail due to latency in key
propagation.

I take it you were completely oblivious to these facts until now, so in
anticipation of the humble thanks you'll undoubtedly be replying to this
enlighteniong message with, I'll take this opportunity to say "you're
welcome". 

[ Post a follow-up to this message ]

Zax wrote:

> On Mon, 30 Jul 2007 02:55:25 +0200 (CEST), Anonymous wrote in
> Message-Id: <794984c078bdf08c46d00d8119be7d55@ecn.org>:
> 
>
> I don't entirely agree with this.  Mixmaster messages cannot be
> replayed due to protection within the protocol.  If the originator

Sure they can be replayed Zax. Type II is an improvement over Type I,
where there was virtually no protection at all, but in essence Type II
replay attack countermeasures evaporate in a month. And yes, I'm aware
that can be extended in a number of ways. 

> posted lots of messages then I suppose he is slightly partitioned as
> each post results in something coming out of Banana.  Then again if
> he always posted to the same newsgroup, this would be true regardless
> of which exit was used.

Can't dispute that fact. Indeed, it supports the "consistent exit nodes
are a BadThing(tm)" assertion. In effect, you're making that exit node
a permanent destination for your messages even if you don't always send
them on to the same newsgroup/email/whatever. There's issues of some
significance brought up by doing it that way, even if replay attacks
weren't a consideration at all.

> Maybe I'm missing something.  Wouldn't be the first time.  
>

Only the fact that Type II replay attack countermeasures are anything
but perfect. Type III is is another improvement over Type I/II, but
it's not perfect either. In my humble opinion it starts to cross the
line into impractical to replay attack Type III messages, where Type II
just requires determination and dedication, but there's still some
necessary weakness there which a knowledgeable attacker could exploit
without having to perform any real magic.

[ Post a follow-up to this message ]

On Mon, 30 Jul 2007 05:30:21 -0600 (MDT), Borked Pseudo Mailed wrote in
Message-Id: <ac5b3cc321f2d5604b3f026669411658@pseudo.borked.net>:
 
>
> Sure they can be replayed Zax. Type II is an improvement over Type I,
> where there was virtually no protection at all, but in essence Type II
> replay attack countermeasures evaporate in a month. And yes, I'm aware
> that can be extended in a number of ways. 

Point taken.  Thanks for the clarification.
 
>
> Can't dispute that fact. Indeed, it supports the "consistent exit nodes
> are a BadThing(tm)" assertion. In effect, you're making that exit node
> a permanent destination for your messages even if you don't always send
> them on to the same newsgroup/email/whatever. There's issues of some
> significance brought up by doing it that way, even if replay attacks
> weren't a consideration at all.

True.  This is also a good arguement for users not manually selecting
mail2news gateways, but rather to use a Post directive and let the exit
remailer take care of it.  Less human choice is good for anonymity.

> Only the fact that Type II replay attack countermeasures are anything
> but perfect. Type III is is another improvement over Type I/II, but
> it's not perfect either. In my humble opinion it starts to cross the
> line into impractical to replay attack Type III messages, where Type II
> just requires determination and dedication, but there's still some
> necessary weakness there which a knowledgeable attacker could exploit
> without having to perform any real magic.

I assume ephemeral session keys must help in these circumstances but
that still leaves vulnerabilities if there's a bad remailer operator in
the chain.

--
pub  1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE  EBB4 94A6 7A09 8ED5 7743
uid                            Admin <admin.bananasplit.info>

[ Post a follow-up to this message ]

Why is the paranoia remailer removing my References header?

[ Post a follow-up to this message ]