dhanlin: > Mix+TB Test: >> dhanlin: >>> The adversary I had in mind was a malicious exit node administrator. >> >> The exit node admin should only be able to see which email services you >> are talking to, not the address you are using (assuming end-to-end >> encryption). An even then they are only going to see it when you exit >> through that node, which should not be all the time. >> >> So worst case is that they can see three simultaneous connections to >> different providers, not which addresses are in use. > > Yes, but with cooperation between the e-mail provider(s) and the > malicious exit node, pseudonymous accounts can be connected to accounts > using a real identity. For example, if the NSA runs a malicious exit > node and wants to know the identity of [email protected], they can take > from Google all the access times for that account. Then they can look > at the logs of their exit node, and find possible accesses to that > account, and link them to other e-mail provider accesses. If one of > these providers is say a personal e-mail server at a domain with valid > WHOIS, [email protected] is deanonymized. > > I see your point that an malicious exit node cannot itself deanonymize > by connecting accounts (unless the e-mail providers themselves would > deanonymize the user, which is possible). So the attack is a little > harder than I initially thought. There seems to be no technological > impediment to an e-mail provider and a malicious exit node cooperating, > though.
Yes, I was considering your threat model of a malicious exit node administrator. Collusion or a global passive adversary is far more difficult. You could try separate Thunderbird profiles with only one account per profile, or you could turn off checking at startup and checking every x minutes and then just check manually. You could also use 'fetchmail' and a small script with 'cron' or 'at' to randomise which accounts are checked and how long the break is in between. Using separate profiles would mean that an adversary may be able to see patterns of when you are actively checking email, while a fetchmail setup running on an always on machine would make this far more difficult. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
