[tor-talk] Secure email with limited usable metadata
everyone is tooting about pgp these. pgp encryption doesnt solve the problem of tla surveillance. pgp encryption does not touch metadata (recipent, sender). how to secure mail communication? i was thinking about pointing the mx record of the tld to a mail server that is shared with other individuals. the server is configured to drop incoming non-tls smtp connection from other mail server. On a per account basis, every message that is not encrypted to the public pgp key of the address is dropped, too. users use pop3/smtp over a hidden server to download/send messages. what do you think? the setup is easy to maintain. if inbox size is limited to a few mbs any cheap vps thats like 20$ a year can be used to service hundreds of thousands of accounts. a trusted umbrella organization is needed to maintain the server as anonymity is increased by increasing users count. is the tor project or torservers.net interested in running such a service? i would literally pay money for that, so would others. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
I would think that simply finding a mail server that doesn't log ANYTHING (like what StartMail is about to offer) and encrypting everything should be enough. Of course, you'd need to trust that the service really isn't logging anything but that could be solved by accessing it via Tor. So StartMail (when it opens) via Tor should do the trick. Just a thought, Anthony On 06/30/2013 10:52 AM, alice-...@safe-mail.net wrote: > everyone is tooting about pgp these. pgp encryption doesnt solve the problem > of tla surveillance. pgp encryption does not touch metadata (recipent, > sender). > > how to secure mail communication? > > i was thinking about pointing the mx record of the tld to a mail server that > is shared with other individuals. the server is configured to drop incoming > non-tls smtp connection from other mail server. On a per account basis, every > message that is not encrypted to the public pgp key of the address is > dropped, too. users use pop3/smtp over a hidden server to download/send > messages. > > what do you think? the setup is easy to maintain. if inbox size is limited to > a few mbs any cheap vps thats like 20$ a year can be used to service hundreds > of thousands of accounts. a trusted umbrella organization is needed to > maintain the server as anonymity is increased by increasing users count. is > the tor project or torservers.net interested in running such a service? i > would literally pay money for that, so would others. > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > -- Anthony Papillion Phone: 1.918.533.9699 SIP: sip:cajuntec...@iptel.org iNum:+883510008360912 IM: cypherpun...@jit.si www.papillion.me ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
This poses a really interesting question. Another solution would be to use already existing remailers, and doubling the encryption together with the TO: email in the inline plaintext. The question is how to properly do a dual encryption. My proposed solution is the following: Plaintext message (encrypted for recipient, with unencrypted portion dictating the recipient through inline text) -> Encrypted Message (encrypted again to remailer's PGP, including inline portion) -> Remailer (decrypted intended layer. Message is sent to recipient dictated in the inline text) -> Recipient's Email Server / Provider (cannot be read by provider) -> Recipient Mailbox On Sun, Jun 30, 2013 at 8:52 AM, wrote: > everyone is tooting about pgp these. pgp encryption doesnt solve the > problem of tla surveillance. pgp encryption does not touch metadata > (recipent, sender). > > how to secure mail communication? > > i was thinking about pointing the mx record of the tld to a mail server > that is shared with other individuals. the server is configured to drop > incoming non-tls smtp connection from other mail server. On a per account > basis, every message that is not encrypted to the public pgp key of the > address is dropped, too. users use pop3/smtp over a hidden server to > download/send messages. > > what do you think? the setup is easy to maintain. if inbox size is limited > to a few mbs any cheap vps thats like 20$ a year can be used to service > hundreds of thousands of accounts. a trusted umbrella organization is > needed to maintain the server as anonymity is increased by increasing users > count. is the tor project or torservers.net interested in running such a > service? i would literally pay money for that, so would others. > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On 06/30/2013 03:52 PM, alice-...@safe-mail.net wrote: > everyone is tooting about pgp these. pgp encryption doesnt solve the problem > of tla surveillance. pgp encryption does not touch metadata (recipent, > sender). > > how to secure mail communication? There's an easy solution. Only communicate among arbitrarily anonymous accounts, and always use arbitrary subjects. > i was thinking about pointing the mx record of the tld to a mail server that > is shared with other individuals. the server is configured to drop incoming > non-tls smtp connection from other mail server. On a per account basis, every > message that is not encrypted to the public pgp key of the address is > dropped, too. users use pop3/smtp over a hidden server to download/send > messages. > > what do you think? the setup is easy to maintain. if inbox size is limited to > a few mbs any cheap vps thats like 20$ a year can be used to service hundreds > of thousands of accounts. a trusted umbrella organization is needed to > maintain the server as anonymity is increased by increasing users count. is > the tor project or torservers.net interested in running such a service? i > would literally pay money for that, so would others. If you want total overkill, you can use Mixmaster nyms with alt.privacy.anon-server as inbox. Quicksilver is easy to use, and runs on Linux in Wine. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
> I would think that simply finding a mail server that doesn't log > ANYTHING (like what StartMail is about to offer) and encrypting > everything should be enough. Of course, you'd need to trust that the > service really isn't logging anything but that could be solved by > accessing it via Tor. > > So StartMail (when it opens) via Tor should do the trick. StartMail/tormail does not solve the problem of metadata either. i do not want to hide my identity. i want to use my real name and communicate with people i know in real life. its about *enforcing* content encryption and secure communication so an outside observer cannot easily correlate my social network by snooping on mail traffic at net gateways. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
That's why I'm setting up my own mail server at home. And also plan to access it via web interface if using someone else's machine (like at home). I would only allow web access via SSL and password, and only show the emails of the last week (not more). Trying postfix, dovecot, and SquirrelMail. Still in progress :) On Sun, Jun 30, 2013 at 5:48 PM, wrote: >> I would think that simply finding a mail server that doesn't log >> ANYTHING (like what StartMail is about to offer) and encrypting >> everything should be enough. Of course, you'd need to trust that the >> service really isn't logging anything but that could be solved by >> accessing it via Tor. >> >> So StartMail (when it opens) via Tor should do the trick. > StartMail/tormail does not solve the problem of metadata either. i do not > want to hide my identity. i want to use my real name and communicate with > people i know in real life. its about *enforcing* content encryption and > secure communication so an outside observer cannot easily correlate my social > network by snooping on mail traffic at net gateways. > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
edit: someone one's else machine *like at work On Sun, Jun 30, 2013 at 6:18 PM, AK wrote: > That's why I'm setting up my own mail server at home. And also plan to > access it via web interface if using someone else's machine (like at > home). I would only allow web access via SSL and password, and only > show the emails of the last week (not more). Trying postfix, dovecot, > and SquirrelMail. Still in progress :) > > On Sun, Jun 30, 2013 at 5:48 PM, wrote: >>> I would think that simply finding a mail server that doesn't log >>> ANYTHING (like what StartMail is about to offer) and encrypting >>> everything should be enough. Of course, you'd need to trust that the >>> service really isn't logging anything but that could be solved by >>> accessing it via Tor. >>> >>> So StartMail (when it opens) via Tor should do the trick. >> StartMail/tormail does not solve the problem of metadata either. i do not >> want to hide my identity. i want to use my real name and communicate with >> people i know in real life. its about *enforcing* content encryption and >> secure communication so an outside observer cannot easily correlate my >> social network by snooping on mail traffic at net gateways. >> ___ >> tor-talk mailing list >> tor-talk@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
* on the Sun, Jun 30, 2013 at 06:18:01PM -0600, AK wrote: > That's why I'm setting up my own mail server at home. And also plan to > access it via web interface if using someone else's machine (like at > home). I would only allow web access via SSL and password, and only > show the emails of the last week (not more). Trying postfix, dovecot, > and SquirrelMail. Still in progress :) If you're going to use somebody elses machine to access your webmail, you probably want to make sure it has a unique password. Even to the extent that your IMAP password for the same account is different. This is because you should also be using two factor authentication for webmail in case the untrusted machine is trojanned/keylogged. Then even if it is keylogged they wont be able to do anything with the password they gained. The open source webmail application Roundcube http://roundcube.net/ has several plugins to handle two factor authentication using different types of hardware tokens and protocols: http://trac.roundcube.net/wiki/Plugin_Repository#Authentication It's worth noting also that Roundcube has a PGP plugin now too based on openpgp.js: https://github.com/qnrq/rc_openpgpjs Your PGP key is never uploaded to the server. You paste it into a textarea after logging in, and then it is stored in your browsers "localStorage" (http://diveintohtml5.info/storage.html) Ordinarily I still wouldn't trust in-browser PGP, as every time you log in, you have to hope that the server didn't send you some new backdoored JS. However, if it's your own webmail installation on your own server, you're using your own browser and all traffic goes over https, you might feel that you can trust it. Personally, I avoid using untrusted machines to access my email. -- Mike Cardwell https://grepular.com/ http://cardwellit.com/ OpenPGP Key35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4 signature.asc Description: Digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
In the case of access to e-mail from untrusted computer is convenient and reliable to use one-time password authentication using e-codebook - mobile Java applet for your phone. A one-time password is generated in response to RAND, generated by the mail server. QR-code can be used. For example see WebMoney enum authorization. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
Hi, Thank you for raising this topic once again. Toying with the idea of "better" email for quite some time, I think there's direct and practical things you can offer, > i was thinking about pointing the mx record of the tld to a mail > server that is shared with other individuals. the server > is configured to drop incoming non-tls smtp connection from other > mail server. On a per account basis, every message that is not > encrypted to the public pgp key of the address is dropped, too. > users use pop3/smtp over a hidden server to download/send messages. See https://github.com/moba/pgpmilter for a small prototype script that rejects non-PGP mail. Exim seems to have the configuration option for that somewhat built-in. I'd go further and forward mail from the mx to hidden services configurable by the user. > if inbox size is limited to a few mbs I'd maybe want to limit the amount of email a user can *send* in a given time span. > any cheap vps I would not want to use VPS for a service like this. > a trusted umbrella organization is needed Working on something like it. > is the tor project or torservers.net interested in running > such a service? Torservers.net is currently a project under a German non-profit. In Germany, ever email provider with more than 10k users has to provide lawful interception. See https://www.bundesnetzagentur.de/SharedDocs/Downloads/EN/BNetzA/Areas/Telecommunications/TechTelecomsRegulation/TechImplementIntercepts/02EUenTRTKUEV62August2012pdf.pdf I'd like to see a full design for it first, and then the components, and the configuration for each component, so this is easy to set up and replicate by anyone. For example, how do I configure Postfix to relay certain incoming mail to a configured hidden service, how do I make it so it only rejects non-PGP mail for some accounts, etc. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
> Thank you for raising this topic once again. Toying with the idea of > "better" email for quite some time, I think there's direct and practical > things you can offer, > > > i was thinking about pointing the mx record of the tld to a mail > > server that is shared with other individuals. the server > > is configured to drop incoming non-tls smtp connection from other > > mail server. On a per account basis, every message that is not > > encrypted to the public pgp key of the address is dropped, too. > > users use pop3/smtp over a hidden server to download/send messages. > > See https://github.com/moba/pgpmilter for a small prototype script that > rejects non-PGP mail. Exim seems to have the configuration option for > that somewhat built-in. > > I'd go further and forward mail from the mx to hidden services > configurable by the user. is torservers.net able and allowed to run this hidden service? a trusted organization is needed to run web-tor relay and hidden service. > > if inbox size is limited to a few mbs > > I'd maybe want to limit the amount of email a user can *send* in a given > time span. right, 20 mails a day will do. the service does not need to be free. > > any cheap vps > > I would not want to use VPS for a service like this. why? > > a trusted umbrella organization is needed > > Working on something like it. your effort is very much appreciated. > > is the tor project or torservers.net interested in running > > such a service? > > Torservers.net is currently a project under a German non-profit. In > Germany, ever email provider with more than 10k users has to provide > lawful interception. > > See > https://www.bundesnetzagentur.de/SharedDocs/Downloads/EN/BNetzA/Areas/Telecommunications/TechTelecomsRegulation/TechImplementIntercepts/02EUenTRTKUEV62August2012pdf.pdf how did privacybox.de get around that? > I'd like to see a full design for it first, and then the components, and > the configuration for each component, so this is easy to set up and > replicate by anyone. For example, how do I configure Postfix to relay > certain incoming mail to a configured hidden service, how do I make it > so it only rejects non-PGP mail for some accounts, etc. i am not capable of coming up with this system on my own. anyone else in on this? Jake? codeman? what about enforcing tls so metadata is reduced? this violated RFC 2487. we are living in dark and dangerous times. maybe two relays could be used, one requiring tls one does not. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
Sounds like for Germany and like countries/laws such servers should be limited to no more than 10k users each to prevent that invasion. From: Moritz Bartl To: tor-talk@lists.torproject.org Sent: Monday, July 1, 2013 10:41 AM Subject: Re: [tor-talk] Secure email with limited usable metadata Hi, Thank you for raising this topic once again. Toying with the idea of "better" email for quite some time, I think there's direct and practical things you can offer, > i was thinking about pointing the mx record of the tld to a mail > server that is shared with other individuals. the server > is configured to drop incoming non-tls smtp connection from other > mail server. On a per account basis, every message that is not > encrypted to the public pgp key of the address is dropped, too. > users use pop3/smtp over a hidden server to download/send messages. See https://github.com/moba/pgpmilter for a small prototype script that rejects non-PGP mail. Exim seems to have the configuration option for that somewhat built-in. I'd go further and forward mail from the mx to hidden services configurable by the user. > if inbox size is limited to a few mbs I'd maybe want to limit the amount of email a user can *send* in a given time span. > any cheap vps I would not want to use VPS for a service like this. > a trusted umbrella organization is needed Working on something like it. > is the tor project or torservers.net interested in running > such a service? Torservers.net is currently a project under a German non-profit. In Germany, ever email provider with more than 10k users has to provide lawful interception. See https://www.bundesnetzagentur.de/SharedDocs/Downloads/EN/BNetzA/Areas/Telecommunications/TechTelecomsRegulation/TechImplementIntercepts/02EUenTRTKUEV62August2012pdf.pdf I'd like to see a full design for it first, and then the components, and the configuration for each component, so this is easy to set up and replicate by anyone. For example, how do I configure Postfix to relay certain incoming mail to a configured hidden service, how do I make it so it only rejects non-PGP mail for some accounts, etc. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Mon, Jul 1, 2013 at 1:04 PM, wrote: >> Thank you for raising this topic once again. Toying with the idea of >> "better" email for quite some time,... >> ... >> I'd like to see a full design for it first, and then the components, and >> the configuration for each component, so this is easy to set up and >> replicate by anyone. For example, how do I configure Postfix to relay >> certain incoming mail to a configured hidden service, how do I make it >> so it only rejects non-PGP mail for some accounts, etc. > > i am not capable of coming up with this system on my own. anyone else in on > this? Jake? codeman? my contempt for email should be evident by provider; ... ;) [OTR, ZRTP, others preferable many years now] yet in all seriousness the complexities are many and some difficult problems (hidden svc to public network delivery with any confidence, end-user key management that is usable _and_ secure by default, sufficiently inter-operable without undue vulnerability or exposure, protocol aware mail message identifying information scrubbing modes, proper SSL/TLS cipher suites with PFS and wide client side support, ssl/tls session expiry and zeroisation, many others) have frustrating trade offs for all parties. regarding a well thought out specification: something written in chef[0] or saltstack[1] which i could launch and test myself would be excellent. suggestions accepted in form of git diffs and pull requests... alas, my order of copious free time is in the mail and it may be difficult to find someone excited to tackle this; i wager Jake would prefer numerous other agonies instead! 0. http://docs.opscode.com/ 1. https://saltstack.com/community.html ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Mon, Jul 1, 2013 at 4:12 PM, Praedor Tempus wrote: > Sounds like for Germany and like countries/laws such servers should be > limited to no more than 10k users each to prevent that invasion. you should assume this number will always approach anything greater than zero; and how do you handle a reduction? axe clients without prejudice? better option: end-to-end only, usable privacy that is secure by default - the only mode is secure. then you can publish "lawful intercepts" of ciphertext without risk to any users.** if you're forced to cooperate with active malware explotation of customers through assisted MitM via your services it is time to pull the plug and announce while you find a sane jurisdiction. the active exploitation and run time key recovery route is plan B for some entities which have lawful intercept charters... ** this is a "Hard Problem" (TM). *grin* ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Mon, 01 Jul 2013 22:18:06 +, coderman wrote: ... > you should assume this number will always approach anything greater > than zero; and how do you handle a reduction? axe clients without > prejudice? Put new clients into the next instance of this service, formally operated by someone else? > better option: end-to-end only, usable privacy that is secure by > default - the only mode is secure. then you can publish "lawful > intercepts" of ciphertext without risk to any users.** Lawful intercepts also include the access metadata (which I assume to be equally secure here), and access to the emails themselves. While encrypted the service still has to know source and destination to some extent. Also, LI interception is a cost factor. > if you're forced to cooperate with active malware explotation of > customers through assisted MitM via your services it is time to pull > the plug and announce while you find a sane jurisdiction. I guess under NSLs this could be construed as publishing same, so the NSL effectively forces you to stay in business. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Mon, Jul 1, 2013 at 11:15 PM, Andreas Krey wrote: > ... > Put new clients into the next instance of this service, formally > operated by someone else? you say this like there's an inexhaustible supply of dedicated individuals / volunteers able to administer a business entity / incorporation each with enough autonomy and self sufficiency to avoid conspiracy charges ... ;) i am skeptical this can scale in any meaningful sense; still better than nothing? > ... > Lawful intercepts also include the access metadata (which I assume to > be equally secure here), and access to the emails themselves. While > encrypted the service still has to know source and destination to > some extent. the joy of email is that you defer hard problems like unlinkability, psuedonymity, anonymity to lower layers where possible. i agree that "pen register" and other metadata is just as critical to privacy as content - perhaps more so given the lack of constraints around access to "pen register" metadata. did i mention this is a hard problem? > I guess under NSLs this could be construed as publishing same, > so the NSL effectively forces you to stay in business. "Due to circumstances outside our control we are no longer able to provide customers with quality service. Effective immediately. [datetimestamp]" ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
Would there be a way to "Freenet" the service? Distribute it over many servers...no one actually knowing what clients they have, perhaps not even how many but operated over the tor network? From: coderman To: tor-talk@lists.torproject.org Sent: Tuesday, July 2, 2013 9:26 AM Subject: Re: [tor-talk] Secure email with limited usable metadata On Mon, Jul 1, 2013 at 11:15 PM, Andreas Krey wrote: > ... > Put new clients into the next instance of this service, formally > operated by someone else? you say this like there's an inexhaustible supply of dedicated individuals / volunteers able to administer a business entity / incorporation each with enough autonomy and self sufficiency to avoid conspiracy charges ... ;) i am skeptical this can scale in any meaningful sense; still better than nothing? > ... > Lawful intercepts also include the access metadata (which I assume to > be equally secure here), and access to the emails themselves. While > encrypted the service still has to know source and destination to > some extent. the joy of email is that you defer hard problems like unlinkability, psuedonymity, anonymity to lower layers where possible. i agree that "pen register" and other metadata is just as critical to privacy as content - perhaps more so given the lack of constraints around access to "pen register" metadata. did i mention this is a hard problem? > I guess under NSLs this could be construed as publishing same, > so the NSL effectively forces you to stay in business. "Due to circumstances outside our control we are no longer able to provide customers with quality service. Effective immediately. [datetimestamp]" ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Mon, Jul 1, 2013 at 10:10 PM, coderman wrote: > ... > my contempt for email should be evident by provider; ... ;) > [OTR, ZRTP, others preferable many years now] another one decides email is inherently insecure: https://silentcircle.wordpress.com/2013/08/09/to-our-customers/ """ Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure. """ use other tools and protocols for private communication! here's to hoping TorMail stays dormant... -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
Use p2p email http://bitmail.sf.net Am 30.06.2013 19:55 schrieb : > everyone is tooting about pgp these. pgp encryption doesnt solve the > problem of tla surveillance. pgp encryption does not touch metadata > (recipent, sender). > > how to secure mail communication? > > i was thinking about pointing the mx record of the tld to a mail server > that is shared with other individuals. the server is configured to drop > incoming non-tls smtp connection from other mail server. On a per account > basis, every message that is not encrypted to the public pgp key of the > address is dropped, too. users use pop3/smtp over a hidden server to > download/send messages. > > what do you think? the setup is easy to maintain. if inbox size is limited > to a few mbs any cheap vps thats like 20$ a year can be used to service > hundreds of thousands of accounts. a trusted umbrella organization is > needed to maintain the server as anonymity is increased by increasing users > count. is the tor project or torservers.net interested in running such a > service? i would literally pay money for that, so would others. > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
> On Mon, Jul 1, 2013 at 10:10 PM, coderman wrote: >> my contempt for email should be evident by provider; ... ;) Gmail seems intent on refusing signups via Tor without supplying other linkable and not rationally expendable data such as phone. I expect they'll bleed off users who need this to other providers through attrition, and incur negative publicity from prospective new users for failing to support it in these days. There were a few threads over on tor-talk in which a gmail staff participated. Some community suggestion was made for refundable bitcoin deposit to appease the google claims, not sure where that went. > use other tools and protocols for private communication! Amongst your convinceable and tutorable peers, yes of course. Amongst the rest of the world.. > here's to hoping TorMail stays dormant... ..I don't agree. It will be a long time before anything replaces traditional email worldwide. Until then traditional email services do need to be out there... accessible via Tor and free / donation based for basic messaging use. Independant mail nodes can work if done well, that's essentially what TorMail, Lavabit, SC, Hush, etc are. And though you may encrypt the body, there are uses for which you don't want to (non crypto peers). Know the weaknesses, your tools, and pick the right one for the right use. TorMail was in some sense the most interesting thing since the mail mixes. And other services that try to do crypto for you, can't, it's impossible hype. Better to continue building OpenPGP etc into traditional mail clients smoother. note: Last I saw TorMail up was Aug 5 early UTC. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Fri, Aug 9, 2013 at 6:20 AM, Randolph D. wrote: > Use p2p email http://bitmail.sf.net How about you and your friends publish some whitepapers and give some presentations first for peer review instead of spamming people with false endorsements to try out your warez. Until those bars are passed, and explained... people are unlikely to do anything but continue to give warnings to stay away from anything related below. http://mikeweber.users.sourceforge.net/ http://sourceforge.net/projects/netsplit http://netsplit.sourceforge.net/ http://sourceforge.net/projects/bitmail http://bitmail.sourceforge.net/ http://sourceforge.net/projects/spot-on http://spot-on.sourceforge.net/ http://textfield.users.sourceforge.net/ http://sourceforge.net/projects/goldbug http://goldbug.sourceforge.net/ http://sourceforge.net/projects/skyfall http://skyfall.sourceforge.net/ Thomas Asta Randolph D https://twitter.com/GoldBugIM -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
grarpamp: > Independant mail nodes can work if done well, that's > essentially what TorMail, Lavabit, SC, Hush, etc are. No. “TorMail” is different as it contains “Tor” in the name, misleading users to believe that it is run by the Tor project and that the trust they put in Tor can be applied to a service provided by unknown operators. This is straight for the help desk: every time that thing called “TorMail” went down, we had at least 10 people asking for help. I sincerily hope it will stay down. (And sorry about anyone who is having communication problems currently due to its sudden shutdown.) -- Lunar signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Fri, Aug 09, 2013 at 06:50:08AM -0400, grarpamp wrote: > > here's to hoping TorMail stays dormant... > > ..I don't agree. It will be a long time before anything > replaces traditional email worldwide. While I don't really have an opinion on whether this service should stay dormant, I do hope they leave the TorMail name behind. Too many users got confused about whether it was an official Tor service (it wasn't). And I can't help but conclude that this confusion was intentional and welcome on the part of the service operators -- which I confess makes me have little sympathy for them disappearing. --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/9/2013 10:46 AM, Lunar wrote: > (And sorry about anyone who is having communication problems > currently due to its sudden shutdown.) It they are having communication problems because Tormail is down then they probably can't read this anyway :) - -- Crypto Keywords: terrorism, bombs, jogging, suntan lotion, nails, pellets, knives, shoes, underwear, milk, socks, hair, toenails, masturbation, gasoline, cooking oil, mayonnaise, bananas, Obama, Clinton, EFF, NSA, FBI, PGP, USA, pressure cooker, marathon, fertilizer Keywords are not necessarily in order of importance -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21-beta20 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSBRUvAAoJENm5+F4XN2I52zoP/3h2WMdIw5OhSiBic9ycvRjI PKE97MmdA6VnmMnk4PHo7oXyngsCIEpcyC51ki810EuXLL8w0u7RXWuAyb3OlZJq E0WGh1ZY0zkRSQ16rpxAgGe66QU9cDCUI8rmr5tD07q70ukq12lyG3Yd0qrlfwCf 4001iFLcOqR/MCLhjYLDo4eFqoTLeEFz0p9V2J9QPYQIVePw18T3HJqswJ2z0yws HbuPLFwwsemo5d/cRWeiZiNnR5oEipbXCjn5DP0zsdRVMvb5P2pgAmRjytzrfuPj cJcjA1243t+fHqRUiA3yuGFdS84pvbLicXnzqYmCB91ohCSgRhNxV+rBqAQ27/5O IdDwi00qzuh/kCoZQZO1zkCoApZVJUp3b9Ct9cmRZqf0mSg1nh4a6eJWQAD8YUlF O9aju6ew8zjQXjuNoawY5aeNZiX7vY8EUYRGCl2tg50uv6OXFT37Qwo2cOJ170ve FPussfR5ViYlwNA4uBVFdJEBsWni8WO4pttpNrNu3IJIw6I7THUlv2HZMbLmUJQ8 UGtjPszDPIYpzS9qCS3ulYzDXxBJ9sVfB1CWUxoUYDDsSF6detbWyjU3RVoz26xb DbLshz4eCx4IS89CdN7gVAJ1ZYNi1S1RnPy3jrvgCwnWc6swhzwiVi2DtgxWmflV 33vR8kn2rER24CtbuFHU =kN7u -END PGP SIGNATURE- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
>> No. “TorMail” is different as it contains “Tor” in the name, misleading > I do hope they leave the TorMail name behind. I was referring solely to the properties of the service, not the naming scheme. I believe that debate belongs elsewhere. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Fri, Aug 9, 2013 at 12:50 PM, grarpamp wrote: > There were a few threads over on tor-talk in which a > gmail staff participated. Some community suggestion > was made for refundable bitcoin deposit to appease > the google claims, not sure where that went. > We're still paying attention. Actually I don't work on Google anti-abuse anymore (different project these days) but am still happy to provide our perspective and contacts. Google is not an enemy of the Tor project, we just struggle with the same issues all other providers do. The "community suggestion" to use Bitcoin was actually my suggestion. It didn't go anywhere partly because it's fairly complicated and partly because Mike Perry and others from Tor felt Bitcoin wasn't anonymous enough, and desired a different system. So it's not really clear what the right approach is, technically. You may be interested in checking out Pond, the work of another crypto/Tor-friendly Googler: https://pond.imperialviolet.org/ It is an email-like messaging system that runs over Tor, has forward security, tries to beat traffic analysis, TPM integration to beat log structured filesystems that can't erase data and also has a variety of other interesting features. It's not a drop in replacement for email by any means, but with some more work it might be a reasonable alternative for specialised use case. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On 08/10/2013 05:34 AM, Mike Hearn wrote: > On Fri, Aug 9, 2013 at 12:50 PM, grarpamp > wrote: > >> There were a few threads over on tor-talk in which a gmail staff >> participated. Some community suggestion was made for refundable >> bitcoin deposit to appease the google claims, not sure where that >> went. >> > > We're still paying attention. Actually I don't work on Google > anti-abuse anymore (different project these days) but am still > happy to provide our perspective and contacts. Google is not an > enemy of the Tor project, we just struggle with the same issues all > other providers do. > > The "community suggestion" to use Bitcoin was actually my > suggestion. It didn't go anywhere partly because it's fairly > complicated and partly because Mike Perry and others from Tor felt > Bitcoin wasn't anonymous enough, and desired a different system. So > it's not really clear what the right approach is, technically. > > You may be interested in checking out Pond, the work of another > crypto/Tor-friendly Googler: > > https://pond.imperialviolet.org/ > > It is an email-like messaging system that runs over Tor, has > forward security, tries to beat traffic analysis, TPM integration > to beat log structured filesystems that can't erase data and also > has a variety of other interesting features. It's not a drop in > replacement for email by any means, but with some more work it > might be a reasonable alternative for specialised use case. > This project is pretty much what I have been looking for. Seems like a good chance (excuse) for me to learn Go as well. But there seems to be a lack of clues on how to get involved. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On Sat, Aug 10, 2013 at 4:34 AM, Mike Hearn wrote: >... > You may be interested in checking out Pond... > https://pond.imperialviolet.org/ > > It is an email-like messaging system that runs over Tor, has forward > security, tries to beat traffic analysis, ... this is the kind of messaging i would use - leaving all the complexities and drawbacks of traditional email behind. and StealthMonger: while the theory and design of latest generation anonymous remailers are suitable for secure mail, the practical realities render them unusable. effort on real-time protocols that can defend against traffic analysis, or other non-email systems like pond would be better spent. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On 08/10/2013 11:34 AM, Mike Hearn wrote: > On Fri, Aug 9, 2013 at 12:50 PM, grarpamp wrote: > >> There were a few threads over on tor-talk in which a >> gmail staff participated. Some community suggestion >> was made for refundable bitcoin deposit to appease >> the google claims, not sure where that went. >> > > We're still paying attention. Actually I don't work on Google anti-abuse > anymore (different project these days) but am still happy to provide our > perspective and contacts. Google is not an enemy of the Tor project, we > just struggle with the same issues all other providers do. > > The "community suggestion" to use Bitcoin was actually my suggestion. It > didn't go anywhere partly because it's fairly complicated and partly > because Mike Perry and others from Tor felt Bitcoin wasn't anonymous > enough, and desired a different system. So it's not really clear what the > right approach is, technically. That was a good suggestion, and it's great that you're still listening. It's true that Bitcoin is not, by default, at all anonymous. And it's become much harder, over the past year or so, to buy anonymously. However, it is possible to "anonymize" Bitcoins using multiple wallets with mixing services via Tor. After a few transfers, one is left with a random mixture, which includes none of one's initial Bitcoins. Although adversaries can determine the history of every Bitcoin fragment using the blockchain, none of those histories includes the spender's initial non-anonymous purchase. Even so, there are associations with the mixing services. In particular, the spender's initial non-anonymous purchase is associated with the first mixing service. But after the third mix, that association is arguably too diffused to be useful. What's the defect with that approach? It's actually quite easy using Multibit clients (which are local but don't download the blockchain) in Tails, Whonix, Incognito, etc. > You may be interested in checking out Pond, the work of another > crypto/Tor-friendly Googler: > > https://pond.imperialviolet.org/ > > It is an email-like messaging system that runs over Tor, has forward > security, tries to beat traffic analysis, TPM integration to beat log > structured filesystems that can't erase data and also has a variety of > other interesting features. It's not a drop in replacement for email by any > means, but with some more work it might be a reasonable alternative for > specialised use case. > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
> What's the defect with that approach? > > It's actually quite easy using Multibit clients (which are local but > don't download the blockchain) in Tails, Whonix, Incognito, etc. Yes, you can effectively swap coins with people, that's one way to go. The issue of it being difficult to obtain coins anonymously is a maturity issue. The economy is small, thus, coins go in and out of the economy via exchanges very regularly. They don't circulate far before being converted back into local currencies. Because exchanges are financial institutions by law privacy is not allowed and state monitoring takes place. The reason I suggested a Bitcoin based solution is that: 1. The core principle of Tor has always been "anonymity loves company". If you aim for a 100% perfect solution and end up with nothing, you are worse off than having something that's mostly good enough. 2. Over time the privacy properties of Bitcoin will get better as wallet software improves, the economy grows, etc. So you get all those improvements "for free". 3. It requires no new third parties to be set up, as other schemes do. You could, theoretically, just download an app, give it some bitcoins you bought from a street vendor, and then manufacture yourself a proof-of-sacrifice that could be used to sign up for accounts/do any other abusable action. All you need is software. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Secure email with limited usable metadata
On 08/11/2013 01:21 PM, Mike Hearn wrote: >> What's the defect with that approach? >> >> It's actually quite easy using Multibit clients (which are local >> but don't download the blockchain) in Tails, Whonix, Incognito, >> etc. > > > Yes, you can effectively swap coins with people, that's one way to > go. But you're still buying them non-anonymously. Even buying with cash on the street isn't very anonymous. And using a Bitcoin mixing service is rather a red flag, no? > The issue of it being difficult to obtain coins anonymously is a > maturity issue. The economy is small, thus, coins go in and out of > the economy via exchanges very regularly. They don't circulate far > before being converted back into local currencies. Because exchanges > are financial institutions by law privacy is not allowed and state > monitoring takes place. Right. With more Bitcoin users and longer circulation, stronger anonymity through mixing will become possible. On the other hand, as the Bitcoin economy has become larger, state monitoring has increased, and even semi-anonymous purchasing has become harder. For example, BitInstant imposed identity verification, and then shut down. There's a potentially very large market niche for selling Bitcoins anonymously, but the logistical challenges are immense. > The reason I suggested a Bitcoin based solution is that: > > 1. The core principle of Tor has always been "anonymity loves > company". If you aim for a 100% perfect solution and end up with > nothing, you are worse off than having something that's mostly good > enough. Indeed. > 2. Over time the privacy properties of Bitcoin will get better as > wallet software improves, the economy grows, etc. So you get all > those improvements "for free". An app with multiple wallets that automatically anonymized via Tor would be very cool! > 3. It requires no new third parties to be set up, as other schemes > do. You could, theoretically, just download an app, give it some > bitcoins you bought from a street vendor, and then manufacture > yourself a proof-of-sacrifice that could be used to sign up for > accounts/do any other abusable action. All you need is software. Do you think that Google might be an early adopter? If not, I wonder who would. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
