[liberationtech] Jacob Appelbaum's Ultrasurf Report
Jacob Appelbaum
jacob at appelbaum.net
Tue Apr 24 08:29:18 PDT 2012
On 04/22/2012 11:02 PM, StealthMonger wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
>> There is no competitor to the Tor Project in the field of online
>> anonymity.
>
> On the contrary:
>
> Tor has a serious weakness in that it uses a low-latency connection
> between user and server, allowing anonymity to be broken with simple
> packet timing correlation. Even the Tor documentation states
>
> ... for low-latency systems like Tor, end-to-end traffic
> correlation attacks [8, 21, 31] allow an attacker who can observe
> both ends of a communication to correlate packet timing and volume,
> quickly linking the initiator to her destination.
>
> --- http://tor.eff.org/cvs/tor/doc/design-paper/challenges.pdf
>
> Long, random latency is part of the price of Internet anonymity. And
> there are competitors to Tor (open source), which use long, random
> latency. The basic idea is to use store-and-forward communication
> such as email and Usenet to allow the long random latency on which
> anonymity depends. This can be done by mailing an access request
> through a chain of anonymizing remailers to a web-to-mail gateway,
> with a return address contrived to cause the fetched information to be
> broadcast world-wide on Usenet. The requester watches for it there
> and plucks it when it arrives.
>
> Usenet and the remailer network are well-known. There are several
> web-to-mail gateways. The easiest these days is url at mixnym.net, and
> an easy way to use it is with (open source) anonget, see below.
>
Oh - sure - if you want to rope in mixmaster/mixminion networks, I
believe that those are also suitable for certain activities. I do not
however view those are competitors, one of the creators of Tor is the
main mixminion person and I think he basically hacked a ton on mixmaster.
In the case of remailers, I view those as a different class of anonymity
- namely, I have long viewed that if you use such a system, you should
probably compose it with Tor - so few people use them that I'd want to
disguise that I was using them. Also, you cannot use those systems for a
lot of TCP communications that people regularly need to protect - has
anyone written an XMPP or AIM client that uses mixmaster? I suspect not...
In any case, is it possible to use anonget with a lot of modern websites
in any practical manner where users won't just walk away? It's hard
enough to do that with Tor Browser or even a single hop proxy and a
normal browser.
I like the idea to be certain but only for a limited set of tasks.
All the best,
Jake
More information about the liberationtech
mailing list