[cryptography] Potential funding for crypto-related projects

Jacob Appelbaum jacob at appelbaum.net
Mon Jul 1 09:33:24 EDT 2013

Ben Laurie:
> On 1 July 2013 12:32, Tom Ritter <tom at ritter.vg> wrote:
>> On 1 July 2013 05:04, Ben Laurie <ben at links.org> wrote:
>>> On 1 July 2013 01:55, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>>>> So then - what do you suggest to someone who wants to leak a document to
>>>> a press agency that has a GlobaLeaks interface?
>>> I would suggest: don't use GlobalLeaks, use anonymous remailers.
>>> Bottom line: Tor is weak against powerful adversaries because it is
>>> low latency. High latency mixes are a lot safer.
>>> GlobalLeaks should have an email API, IMO.
>> Having looked a lot at the current remailer network, and a bit at
>> GlobaLeaks - I'm going to wade in and disagree here. (Although this
>> thread has gotten woefully off topic after I've bumped it. =/)  Ben: I
>> love mix networks. I've been learning everything I can about them, and
>> have been researching them voraciously for a couple years.[0]  But IMO
>> the theoretical gains of high latency *today* are weaker than the
>> actual gains of low latency *today*.
>> Virtually all remailer use is Mixmaster, not Mixminion.  If you want
>> to use anything but a CLI on Linux - you're talking Mixmaster.  So I'm
>> assuming you mean that.  Mixmaster uses a very, very recognizable SMTP
>> envelope, that often goes out with no TLS, let alone no PFS.  There's
>> also precious few people actually using it.  And finally, if you look
>> at the public attacks on remailers (the unfortunate bombing threats of
>> last summer) and Tor (the Jeremy Hammond case) - you see that Feds are
>> willing to go on fishing expeditions for remailers, but less so Tor.
>> Tor was traffic confirmation, Remailers was fishing.[1]
>> Compare to GlobaLeaks.  Tor Hidden Service, Tor network.  The two
>> biggest threats are Traffic Correlation and the recent attacks on
>> Hidden Services.
>> Assume a Globally Passive Adversary logging all SMTP envelopes
>> (because... they are. So don't assume, know.).  Now assume a leak
>> arrives over email.  Light up all the nodes who sent a message via
>> Mixmaster within a couple days, and you'll get at most, a couple
>> hundred.  Now dim all the lights who've never sent a mixmaster message
>> before.  You'll get a couple.  That's enough to investigate them all
>> using traditional methods.
>> Now you *do* have to assume a GPA who's logging all Tor traffic.  It's
>> possible.  Some would even say it's probable.  But we've seen no
>> evidence. Do the same light-up.  You get a hundreds if not thousands
>> of nodes.  Too many to investigate traditionally.  And to do Traffic
>> Confirmation, you need to identify the Hidden Service.  And there's
>> the issue that it's not trivial to do traffic confirmation.
>> Oh and there's also the little problem of sending anything over 10,236
>> bytes via Mixmaster splits the message into multiple messages that all
>> emanate from your machine which makes it wildly probable some won't
>> arrive, and also drastically makes you stand out the crazy person
>> who's trying to send anything other than text through Mixmaster.
>> I'm not saying GlobaLeaks+Tor is safe.  I'm saying I think our current
>> remailer network is wildly unsafe.  (Now what I think about fixing
>> it... that's a whole other story, for a whole other time.)

The above argument is one I have had more than a few times - I think Tom
really did a fantastic job.

> You are probably right - remailers are not what they used to be.

The thing is - I'm not sure they were ever what they used to be - if we
look at the disclosures from Snowden, we should assume a kind of GPA -
the level of traffic from remailers is just too small. There isn't
enough traffic because the desire for one very specific application
(email) is extremely small.

> The more interesting point is high vs low latency. I really like the
> idea of having a high-latency option in Tor. It would still need to
> have a lot of users to actually be useful, though. But it seems there
> are various protocols that would be ore high-latency-friendly than
> HTTP - SMTP, of course, and XMPP spring to mind.
I think if Tor had an arbitrary queue with store and forward as a high
latency module of sorts, we'd really be onto something. Then there would
be tons of traffic on the Tor relays for all kinds of reasons - high and
low latency - only to all be wrapped in TLS and then in the Tor protocol.

It would actually be rather straight forward to add a new cell type that
did something interesting like the above. It would also be dead simple
to use torsocks to torify MixMinion or mixmaster. I've done it and the
main problem was that none of the remailer networks really work very
well for other properties - other than anonymity, I mean. Using Tor with
mixmaster at least augments the forward secrecy problem a bit - that is
Tor adds what mixmaster is missing.

I think having Mixmaster and MixMinion support in Tails and run over Tor
would be a good way to start. I also agree that GlobaLeaks should have
an interface for receiving leaks via either of those networks - though I
sometimes wonder if GL wouldn't be better off with only type-III
remailer support? Forward secrecy seems absolutely critical.

All the best,

More information about the cryptography mailing list