[cryptography] Potential funding for crypto-related projects

Ben Laurie ben at links.org
Mon Jul 1 07:50:03 EDT 2013

On 1 July 2013 12:32, Tom Ritter <tom at ritter.vg> wrote:
> On 1 July 2013 05:04, Ben Laurie <ben at links.org> wrote:
>> On 1 July 2013 01:55, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>>> So then - what do you suggest to someone who wants to leak a document to
>>> a press agency that has a GlobaLeaks interface?
>> I would suggest: don't use GlobalLeaks, use anonymous remailers.
>> Bottom line: Tor is weak against powerful adversaries because it is
>> low latency. High latency mixes are a lot safer.
>> GlobalLeaks should have an email API, IMO.
> Having looked a lot at the current remailer network, and a bit at
> GlobaLeaks - I'm going to wade in and disagree here. (Although this
> thread has gotten woefully off topic after I've bumped it. =/)  Ben: I
> love mix networks. I've been learning everything I can about them, and
> have been researching them voraciously for a couple years.[0]  But IMO
> the theoretical gains of high latency *today* are weaker than the
> actual gains of low latency *today*.
> Virtually all remailer use is Mixmaster, not Mixminion.  If you want
> to use anything but a CLI on Linux - you're talking Mixmaster.  So I'm
> assuming you mean that.  Mixmaster uses a very, very recognizable SMTP
> envelope, that often goes out with no TLS, let alone no PFS.  There's
> also precious few people actually using it.  And finally, if you look
> at the public attacks on remailers (the unfortunate bombing threats of
> last summer) and Tor (the Jeremy Hammond case) - you see that Feds are
> willing to go on fishing expeditions for remailers, but less so Tor.
> Tor was traffic confirmation, Remailers was fishing.[1]
> Compare to GlobaLeaks.  Tor Hidden Service, Tor network.  The two
> biggest threats are Traffic Correlation and the recent attacks on
> Hidden Services.
> Assume a Globally Passive Adversary logging all SMTP envelopes
> (because... they are. So don't assume, know.).  Now assume a leak
> arrives over email.  Light up all the nodes who sent a message via
> Mixmaster within a couple days, and you'll get at most, a couple
> hundred.  Now dim all the lights who've never sent a mixmaster message
> before.  You'll get a couple.  That's enough to investigate them all
> using traditional methods.
> Now you *do* have to assume a GPA who's logging all Tor traffic.  It's
> possible.  Some would even say it's probable.  But we've seen no
> evidence. Do the same light-up.  You get a hundreds if not thousands
> of nodes.  Too many to investigate traditionally.  And to do Traffic
> Confirmation, you need to identify the Hidden Service.  And there's
> the issue that it's not trivial to do traffic confirmation.
> Oh and there's also the little problem of sending anything over 10,236
> bytes via Mixmaster splits the message into multiple messages that all
> emanate from your machine which makes it wildly probable some won't
> arrive, and also drastically makes you stand out the crazy person
> who's trying to send anything other than text through Mixmaster.
> I'm not saying GlobaLeaks+Tor is safe.  I'm saying I think our current
> remailer network is wildly unsafe.  (Now what I think about fixing
> it... that's a whole other story, for a whole other time.)

You are probably right - remailers are not what they used to be.

The more interesting point is high vs low latency. I really like the
idea of having a high-latency option in Tor. It would still need to
have a lot of users to actually be useful, though. But it seems there
are various protocols that would be ore high-latency-friendly than
HTTP - SMTP, of course, and XMPP spring to mind.

> -tom
> [1] https://crypto.is/blog
> http://defcon.org/html/defcon-21/dc-21-speakers.html#Ritter
> [1] If you don't like my last argument, fine, ignore it, and work with
> the others.

More information about the cryptography mailing list