Re: Server redirection software

[lcs Mixmaster Remailer]

Amanda writes:

 Just pick up a copy of Freedom www.freedom.net. It works. It is
 available now. It protects more than just your surfing.

Freedom is good (although not free).  But it only protects clients, it
can't protect servers.  Right?  You can't operate a web server, or IRC
server, from behind a Freedom nym.  There is no way to publish a URL or IP
address which can let people find you but allow you to remain anonymous.
(Although you can create an anonymous email address.)

The proposed server redirection software is intended to be complemtary
to Freedom.  Where Freedom allows clients to be anonymous, this software
allows servers to be anonymous.  Together they can provide for fully
anonymous communications where the privacy of both sides is protected.

Re: Server redirection software

[lcs Mixmaster Remailer]

The server-based redirector proposed earlier could have other uses than
for just web servers.  Other servers, including telnet and email servers
could also be hidden behind a redirection chain.  Those services use
reserved port numbers so it would be necessary that the last computer
in the chain (the one whose address is published) not be running the
service in question.

This would offer another approach for anonymous return addresses.  Someone
running a SMTP server on port 25 could set up a redirection chain so a
remote machine would forward connections to that host.  If Alice's email
is [EMAIL PROTECTED] she can set up a chain through bob.com and carol.com
and publish her email as [EMAIL PROTECTED]  Connections to Carol's machine
on port 25 would then be transparently forwarded to port 25 on alice.com,
and the email would be delivered.

Other protocols might benefit from this remote forwarding capability
as well.

Can anyone volunteer web space to make the software available?

 Have you looked at the TAZ work that Ian Goldberg and David Wagner did a
 few years back?  You can find their report at:

 http://www.firstmonday.dk/issues/issue3_4/goldberg/index.html

 They discuss "rewebbers" and some of the issues involved in designing
 them.  If you want to make an analogy to remailers, then your design is
 analogous to pseudonym chaining, while theirs is more similar to
 cypherpunks-style remailers.  In particular, they avoid the problem of
 Bob knowing the entire redirection chain.

Yes, that's an interesting approach, which has some pros and cons
vs the redirector concept.  The connection based redirector might
be more appropriate for relatively transient connections.  Once a
connection is taken down, the information needed to retrace it is lost.
Connection chains can also be broken if one of the servers on the chain
gets rebooted.

The rewebber approach could be more vulnerable to step by step tracking.
Until the nodes destroy their public keys, a rewebber based URL
potentially exposes the final destination.  On the other hand the
URLs could be much more stable and long lasting.

I wonder if the rewebber code might be published now that the crypto
export restrictions have been relaxed.

 Traffic analysis from upstream sniffers trivially breaks this system.  TLAs
 have been known to place boxes upstream of 'interesting' sites for years.
 End to end crypto is needed, as is real security (i.e. physical) of the
 nodes, else you get an "really enhanced" NIC card added some dark night.
 I'd say it depends on your thread level.

Yes, but almost any system for anonymizing real-time connections will
be vulnerable to this level of traffic analysis.  Even the commercial
Freedom system has this weakness, although there is apparently a plan
to put in some traffic-smoothing features.  These could be used as well
with the server based redirection proposals.

Re: Server redirection software

[Kerry L. Bonin]

Traffic analysis from upstream sniffers trivially breaks this system.  TLAs
have been known to place boxes upstream of 'interesting' sites for years.
End to end crypto is needed, as is real security (i.e. physical) of the
nodes, else you get an "really enhanced" NIC card added some dark night.
I'd say it depends on your thread level.

At 04:40 PM 4/24/00 -, lcs Mixmaster Remailer wrote:
What do you think of a program which works as follows.

It is a TCP/IP redirector, but it is designed to protect the anonymity
of web servers.  People voluntarily run this program on their systems.
A server which wants to be anonymous connects to one of these redirectors,
and gives it a command telling it to listen on port X, and any incoming
connections on that port should be forwarded to port Y on the requesting
host.

For example: Alice wants to run a server anonymously, so she connects to
Bob's computer and gives his redirection program the command to listen
on port 12345 (say) and when connections occur there, to forward them
to port 80 on Alice's machine.

Then she can publish her server URL as http://www.bob.com:12345.
When Bob's server receives a connection on that port, he initiates an
outgoing connection to port 80 on Alice's machine.  He then goes into
bidirectional mode and sends data back and forth.

As far as the client is concerned, he is connection to port 12345 on
Bob's machine.  But as far as Alice's machine is concerned, she gets
connections on port 80.  Neither the user's browser nor Alice's web
server have to be changed; the additional connection step is transparent
to them.

In addition, chained connections can be created.  Bob's redirector maps
incoming port 12345 to port 80 on Alice's host.  Alice can then ask
Carol's redirector to map incoming port 54321 to port 12345 on Bob's
computer.  Then the URL http://www.carol.com:54321 will still get to
Alice's host, via two hops.  In this way Carol does not know the actual
location of the server.

If Alice had to connect directly to Carol to set this up, it would reveal
her host's identity to Carol.  So the redirector also has a "transparent"
mode for setting up chained connections.  Alice connects to Bob's machine
and tells him to listen on port 12345.  She then asks Bob's redirector
to connect her to Carol's redirector and go into transparent mode.
Now she can communicate with Carol's redirector via Bob.  She can give
it commands without Carol seeing Alice's address.

Abuse of redirectors is always a concern.  Hackers might use redirectors
to conceal their locations when attempting to break into systems.

This is avoided in two ways.  First, redirection requests can only be set
up for a target IP equal to the requesting machine's IP.  Alice can ask
Bob to forward data to her machine, but not to anyone else's.  When she
connects to Carol via Bob's transparent connection, she can ask Carol
to forward to Bob, but not to anyone else.  Hence it is not possible to
get the redirector to connect to arbitrary addresses.

Second, the transparent-connection feature (used for setting up chains)
is also limited so that it can't be used to facilitate anonymous hacking
into systems.  The redirectors give a one-line identification when they
are connected to.  When one redirector is asked to forward a connection to
another in transparent mode, it looks for that one-line response.  If it
is not present, the redirector won't send any data along that connection.
Therefore redirectors in transparent-connection mode will only connect
to other redirectors.

The current system does rely on the integrity of the first redirector
in the chain (Bob's, in the example above).  Bob sees the entire chain
that Alice sets up.  In the other direction (towards Alice, rather
than away from her), there is anonymity; each redirector knows only the
address of the next redirector in the chain.  But outgoing from Alice,
each redirector knows the whole remainder of the chain.

Since attackers would typically be starting from the far end of the chain
(the client end), this is the direction in which we most need protection.
Only if we got to the point where people were running rogue redirectors
would the information leakage in the other direction be a concern.

Ideally crypto could be used to hide this information.  Alice could
set up an encrypted connection to each redirector in the chain as she
sets it up.  She would connect to Bob and tell him to listen on a port.
Then she would connect to Carol via Bob, but negotiate an encrypted
connection with Carol before giving commands to her.  Bob would not know
which port Carol was told to listen on, nor what other redirectors Alice
communicated with beyond Carol.  In this way each redirector would know
only its neighbors in the chain.

Is there an appropriate role for crypto in the incoming connections from
clients?  It would seem not, if each redirector only knows its neighbors
as described above.  Sending the data through the pipeline unchanged 

Re: Server redirection software

[Patrick Henry]

For example: Alice wants to run a server anonymously, so she connects
to
Bob's computer and gives his redirection program the command to listen
on port 12345 (say) and when connections occur there, to forward them
to port 80 on Alice's machine.

How do you prevent two people from requesting the same port number?

Bottom line: if you had a server with controversial information, would
you feel that presenting it from behind a chain of this type would
add safety for you?  And, secondly, would you be willing to run such a
redirector as a service to people who want to protect their anonymity?

Why not just put a web server on some island like Antigua and rent out
space using an anonymous payment method?  You could use email to upload
material.  Your method, while good, seems like it leaves the anonymous
party open to snooping by traffic analysis, since the packets invariably
end up on Alice's machine.

--PH
__
Get Your Free Email from http://www.hotml.com