[cryptography] Potential funding for crypto-related projects

Tom Ritter tom at ritter.vg
Mon Jul 1 07:32:26 EDT 2013


On 1 July 2013 05:04, Ben Laurie <ben at links.org> wrote:
> On 1 July 2013 01:55, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> So then - what do you suggest to someone who wants to leak a document to
>> a press agency that has a GlobaLeaks interface?
>
> I would suggest: don't use GlobalLeaks, use anonymous remailers.
> Bottom line: Tor is weak against powerful adversaries because it is
> low latency. High latency mixes are a lot safer.
>
> GlobalLeaks should have an email API, IMO.

Having looked a lot at the current remailer network, and a bit at
GlobaLeaks - I'm going to wade in and disagree here. (Although this
thread has gotten woefully off topic after I've bumped it. =/)  Ben: I
love mix networks. I've been learning everything I can about them, and
have been researching them voraciously for a couple years.[0]  But IMO
the theoretical gains of high latency *today* are weaker than the
actual gains of low latency *today*.

Virtually all remailer use is Mixmaster, not Mixminion.  If you want
to use anything but a CLI on Linux - you're talking Mixmaster.  So I'm
assuming you mean that.  Mixmaster uses a very, very recognizable SMTP
envelope, that often goes out with no TLS, let alone no PFS.  There's
also precious few people actually using it.  And finally, if you look
at the public attacks on remailers (the unfortunate bombing threats of
last summer) and Tor (the Jeremy Hammond case) - you see that Feds are
willing to go on fishing expeditions for remailers, but less so Tor.
Tor was traffic confirmation, Remailers was fishing.[1]

Compare to GlobaLeaks.  Tor Hidden Service, Tor network.  The two
biggest threats are Traffic Correlation and the recent attacks on
Hidden Services.

Assume a Globally Passive Adversary logging all SMTP envelopes
(because... they are. So don't assume, know.).  Now assume a leak
arrives over email.  Light up all the nodes who sent a message via
Mixmaster within a couple days, and you'll get at most, a couple
hundred.  Now dim all the lights who've never sent a mixmaster message
before.  You'll get a couple.  That's enough to investigate them all
using traditional methods.

Now you *do* have to assume a GPA who's logging all Tor traffic.  It's
possible.  Some would even say it's probable.  But we've seen no
evidence. Do the same light-up.  You get a hundreds if not thousands
of nodes.  Too many to investigate traditionally.  And to do Traffic
Confirmation, you need to identify the Hidden Service.  And there's
the issue that it's not trivial to do traffic confirmation.

Oh and there's also the little problem of sending anything over 10,236
bytes via Mixmaster splits the message into multiple messages that all
emanate from your machine which makes it wildly probable some won't
arrive, and also drastically makes you stand out the crazy person
who's trying to send anything other than text through Mixmaster.

I'm not saying GlobaLeaks+Tor is safe.  I'm saying I think our current
remailer network is wildly unsafe.  (Now what I think about fixing
it... that's a whole other story, for a whole other time.)

-tom

[1] https://crypto.is/blog
http://defcon.org/html/defcon-21/dc-21-speakers.html#Ritter
[1] If you don't like my last argument, fine, ignore it, and work with
the others.


More information about the cryptography mailing list