Anonymous remailers can be used to hide information about the sender of email by re-sending the email through a series of nodes that are connected in a chain thus hiding the originating location. The aim of remailers is to protect the anonymity of people who may find themselves in a variety of situations such as [CRP01]:
There are four types of remailers [VAN01].
The first anonymous remailer appeared in the early 1990s as the Penet remailer, at anon.penet.fi [LEN01]. It was widely used however the service had a number of vulnerabilities including storing real email address that were mapped to anonymous ones. Also, the remailer had been compromised through multiple technical attacks. Additionally, it was required to reveal information about a user who posted copyrighted documents from the Church of Scientology to a newsgroup in 1995. The operator eventually shut down the service due to legal concerns and privacy issues [IAC01].
Since the Snowden revelations and the emergence of the ‘real-name paradigm’ where online identity mirrors the real world as in Facebook, Twitter and other social media have [INF01] people have become increasingly interested in technical resources that provide anonymity and the remailer provides this capability.
Crypto.is (CRP)
1) https://crypto.is/blog/what_is_a_remailer
Danezis, G., Dingledine, R., Mathewson, N. (2003) Mixminion: Design of a Type III Anonymous Remailer Protocol. In IEEE Symposium on Security and Privacy, Berkeley, CA, 11-14 May 2003.
http://www.mixminion.net/minion-design.pdf
Gumtree
1) http://gumtree.force.com/Help/articles/General_Information/Anonymised-emails
The Information (INF)
1) https://www.theinformation.com/History-Holds-Tough-Lessons-for-Anonymous-Services
InfoAnarchy (IAC)
1) http://www.infoanarchy.org/en/Anonymous_remailer
Leavitt, N. (LEN)
Anonymization Technology Takes a High Profile. 2009. IEEE Computer.
1) http://leavcom.com/articles/ieee_nov09.php
Light Blue Touchpaper (LBT)
1) https://www.lightbluetouchpaper.org/2014/04/03/current-state-of-anonymous-email-usability/
Mixmaster (MIX)
1) http://mixmaster.sourceforge.net/faq.shtml
Mixminion (MIM)
Paranoia remailer web interface (PRW)
1) https://webmixmaster.paranoici.org/mixemail-user.cgi
2) https://webmixmaster.paranoici.org/webinfo.txt
QuickSliver Lite (QSL)
1) https://www.quicksilvermail.net
Vanish (VAN)
1) http://www.vanish.org/anonymity/remailers.htm
Glossary (GLO)
1) http://whatismyipaddress.com/email-header
2) http://techterms.com/definition/command_line_interface
]]>
Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) are both public key encryption cryptographic software used to authenticate the identity of people sending messages and to encrypt and decrypt email messages and documents. The key difference between the two is that PGP is paid-license software owned by Symantec. Whereas GPG uses a GNU General Public License, meaning that the code can be modified, used and distributed free of charge. PGP and GPG are both OpenPGP compliant [OPP01] implementing the Internet Engineering Task Force (IETF) approved standard for encryption technologies [IET01] thus ensuring that they are interoperable with each other so that a message sent by one can be read by the other.
Another implementation for email encryption includes S/MIME (Secure/Multipurpose Internet Mail Extensions). It is an alternative to PGP/GPG used mostly by businesses that use large corporate computing infrastructures such as IBM, Microsoft and other vendors that offer commercial email packages and web browser software. It differs from PGP/GPG in that it does not exchange personal keys but relies upon the use of a common certifier that they both use [DFB01].
The aim of all of these is to enhance privacy by enabling people to sign, encrypt and decrypt electronic data, protecting the content of emails to ensure that third parties cannot read email communications.
Software that utilise public key encryption include:
Cryptography in its early days were managed and researched within government’s departments of defence in order to protect state secrets and to ensure secure communication across international borders. A non-secret technology known as public key encryption appeared in the 1970s using RSA [CAC01] and resulted in the emergence of the CryptoWars, an attempt by the U.S. government to limit the public and foreign countries from accessing cryptography strong enough to resist decryption by U.S. national intelligence agencies [OPN01].
The Snowden revelations have shown that the CryptoWars are not over [OPN01] in particular with the BULLRUN programme, which seeks to break encryption tools [EFF01].
Codes and Ciphers (CAC)
1) http://www.codesandciphers.org.uk/heritage/ModSec.htm
Cryptographic Engineering blog (CEB)
1) http://blog.cryptographyengineering.com/2014/08/whats-matter-with-pgp.html
Differencebetween (DFB)
1) http://www.differencebetween.net/technology/software-technology/difference-between-pgp-and-smime
Electronic Frontier Foundation (EFF)
1) https://www.eff.org/document/crypto-wars-governments-working-undermine-encryption
Freedom of the Press Foundation (FPF)
1) https://freedom.press/organization/leap-encryption-access-project
The Internet Engineering Task Force (IET)
1) http://www.ietf.org/rfc/rfc4880.txt
GPG Tools
1) https://gpgtools.org
LEAP (LAP)
1) https://leap.se/en/services/email
2) https://leap.se/en/docs/design
3) https://leap.se/slides/#/
Mailpile (MPE)
1) https://www.mailpile.is/faq/
2) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security
OpenPGP (OPP)
1) http://www.openpgp.org/about_openpgp/
Open Rights Group (OPN)
1) https://wiki.openrightsgroup.org/wiki/Crypto_Wars
Tech Republic (TRP)
1) http://www.techrepublic.com/blog/it-security/email-encryption-using-pgp-and-s-mime
TrueCrypt
1) http://truecrypt.sourceforge.net/
Off-the-Record Messaging (OTR) is an encryption protocol making it possible to engage in private conversations using specific instant messaging software. Its aim is to provide a platform that enables both encrypted and ‘deniable’ instant messaging conversations [CPU02]. ‘Deniable authentication’ allows participants in an instant messaging conversation to verify each other without the need for digital signatures which are attributed to a specific person and that can potentially be seen by a third party [CPU01].
OTR is an alternative to PGP and S/MIME public key encryption addressing some their vulnerabilities. These include [Borisov et al., 2004]:
Specifically, OTR ensures that [Borisov et al., 2004]:
Two of the main established software applications using OTR include:
Off-the-Record Messaging was developed in 2004 [CPU03] and was developed to enable encrypted real-time chat while also addressing some of the vulnerabilities of public key encryption. OTR chat software Pidgin and Adium use the LibPurple protocol [ADI02, PID03], which enables network connectivity that allows access to a variety of instant messaging applications. This allows users to login to multiple IM accounts, although it does not support group chat. The Electronic Frontier Foundation provides a helpful messaging scorecard [EFF01] that assesses the level of security provided a variety of communication tools including instant messaging.
Adium (ADI)
2) https://trac.adium.im/wiki/LibPurple
Bitcoin Not Bombs (BNB)
1) http://www.bitcoinnotbombs.com/beginners-guide-to-off-the-record-messaging
Borisov, N., Goldberg, I., Brewer, E. (2004) Off-the-Record Communication, or, Why Not To Use PGP. In WPES, 2004.
https://otr.cypherpunks.ca/otr-wpes.pdf
Cypherpunks (CPU)
1) https://otr.cypherpunks.ca/index.php
3) https://otr.cypherpunks.ca/news.php
Electronic Frontier Foundation (EFF)
1) https://www.eff.org/secure-messaging-scorecard
Huffington Post (HUFF)
1) http://www.huffingtonpost.com/2014/10/10/google-off-the-record_n_5959188.html
Mailpile (MPE)
1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security
Pidgin (PID)
]]>New types of encryption software are being developed that aim to address the vulnerabilities associated with traditional forms of encryption such as Public Key Encryption. At issue with traditional methods are traceability of authorship through the use of digital signatures (no true anonymity) and the decryption of messages and files that may be stored by third parties by either breaking the encryption or by legal means requiring the handing over of encryption keys (no true privacy).
The most recent cryptographic software includes:
– TextSecure – an encrypted mobile instant messaging app for Android phones that provides ‘forward secrecy’ of communications with others using the same app. It can send and receive both encrypted and unencrypted text (SMS) and media (MMS) messages, and attachments files. Messaging is compatible with Signal, the IOS version of TextSecure [TSR01].
– Signal – an encrypted mobile instant messaging and voice calls app for IOS phones that provides ‘forward secrecy’ of communications with others using the same app [SIL01]. Messaging is compatible with TextSecure, the Android version.
– Red Phone – an encrypted voice calling app for Android phones that uses Wi-Fi or data rather than mobile voice plans [RPH01].
– Silent Phone – encrypted voice and video calls on mobile devices for iOS and Android. The app can be used with Wi-Fi, EDGE, 3G or 4G cellular anywhere in the world.
– Silent Text – encrypted text messaging for iOS and Android with ‘burn functionality’ feature that destroys selected messages.
– Silent Contacts – encrypted address book for mobile phones.
– Blackphone – is an Android adapted phone using PrivatOS that focuses on enhancing privacy and security. It has a subscription-based service that enables users to make both encrypted and unencrypted voice calls. It also includes encrypted chat, browsing, file sharing, texting and conference calls.
Forward secrecy – ensures that every new connection uses unique and ephemeral key information, this ensures that if long-term keys (e.g. PGP/GPG) are compromised that the content of messages cannot be decrypted [EFF02].
Privacy and security of business and personal digital communication has received increased interest since the Snowden revelations of June 2013. In addition, the vulnerabilities associated with Public Key Encryption have been a catalyst for developers to provide more secure encryption to users.
CryptoCat (CCA)
Electronic Frontier Foundation (EFF)
1) https://ssd.eff.org/en/module/how-install-and-use-chatsecure
2) https://www.eff.org/deeplinks/2014/07/forward-secrecy-brings-better-long-term-privacy-wikipedia
Guardian Project (GPR)
1) https://guardianproject.info/apps/chatsecure
2) https://chatsecure.org/blog
Mailpile (MPE)
1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security
Open Whispers (OWH)
1) https://whispersystems.org/about/
TextSecure (TSR)
1) https://whispersystems.org/
Signal (SIL)
1) https://whispersystems.org/blog/signal/
2) https://ssd.eff.org/en/module/how-use-signal-%E2%80%93-private-messenger
3) http://www.wired.com/2014/07/free-encrypted-calling-finally-comes-to-the-iphone/
Red Phone (RPH)
1) https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone&hl=en
Pond (PND)
1) https://pond.imperialviolet.org/
2) https://pond.imperialviolet.org/tech.html
3) https://pondgw.hoi-polloi.org/usage
Schneier on Security (SCH)
1) https://www.schneier.com/blog/archives/2012/08/cryptocat.html
Silent Circle (SCR)
1) https://silentcircle.com/services
Soghoian, Christopher (SOG)
1) http://paranoia.dubfire.net/2012/07/tech-journalists-stop-hyping-unproven.html
Tony Arcieri (TAR)
1) http://tonyarcieri.com/whats-wrong-with-webcrypto
W3C, Web Cryptography API (W3C)
1) http://www.w3.org/TR/WebCryptoAPI/
Wired (WIR)
1) http://www.wired.com/2012/07/crypto-cat-encryption-for-all/
Zur:linux (ZUR)
1) http://zurlinux.com/?p=1772
There are options for preserving privacy and security that do not rely upon cryptographic technologies. Rather some people choose a selection of workarounds for communicating sensitive information.
The most well known techniques include:
Alternatives to cryptographic software – these techniques can be used as alternatives to cryptographic software. They can be considered workarounds to secure communication that may include digital or face-to-face methods.
American Civil Liberties Union (ACU)
1) https://www.aclu.org/blog/free-future/surveillance-and-security-lessons-petraeus-scandal
Ars Techica (ARS)
Electronic Frontier Foundation (EFF)
1) https://ssd.eff.org/en/glossary/burner-phone
The Centre for Investigative Journalism (CIJ)
1) http://www.tcij.org/resources/handbooks/infosec/chapter-7-phones-voicevideo-calls-over-internet
Mailpile (MPE)
1) https://github.com/mailpile/Mailpile/wiki/FAQ-Encryption-&-Security
Washington Post (WAS)
]]>Graphic of a VPN, www.legacytec.com/Pages/VPN.html
A Virtual Private Network (VPN) network provides secure access to online data by creating a private network with which to access both the public Internet and other internal organisational networks. A VPN uses tunneling protocols thus encrypted data at the sending end and decrypted at the receiving end.
VPNs allow for greater privacy because data packets are encrypted as the move across the Internet making it difficult to know the activities of users. Additionally, it allows users to access private networks that run within organisations such as universities and companies. These allow users to access content that would not be available otherwise.
Techniques include, each have their own technical strengths and weaknesses [BPN01]:
Best VPN (BPN)
1) https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/
Spiegel (SPI)
1) http://www.spiegel.de/international/world/nsa-documents-attacks-on-vpn-ssl-tls-ssh-tor-a-1010525.html
Scott, C., Wolfe, P., Erwin, M (SCO), Virtual Private Networks. O’Reilly, 1999.
1) http://shop.oreilly.com/product/9781565925298.do
]]>
The Invisible Internet Project (I2P) is an anonymous peer-to-peer communication layer, an offshoot of Freenet (GIZ01) designed to run any Internet service (email, IRC, file sharing, HTTP, Telnet) as well as distributed applications. Its aim is to “protect communication from dragnet surveillance and monitoring by third parties such as ISPs” (I2P01). A computer running the I2P software is called an I2P node.
All communication in I2P is encrypted end-to-end and forwarded through a network of nodes to conceal the source and destination of the traffic. The communication endpoints are identified by cryptographic keys (I2P01).
I2P can be used to host services that are only accessible via the anonymising network. Websites published via I2P, known as “eepsites”, use domain names ending with the ‘.i2p’ suffix.
I2P has been called a “super anonymous network” (GIZ01) where users can gain access to content that is not available outside the network. Unlike Tor, users cannot browse the public Internet with the I2P software.
People using I2P can control the trade-offs they make between anonymity, reliability, bandwidth usage, and latency by choosing the number of nodes their data passes through (I2P01).
Gizmodo (GIZ)
1) http://gizmodo.com/i2p-the-super-anonymous-network-that-silk-road-calls-h-1680940282
Invisible Internet Project (I2P)
1) https://geti2p.net/en
2) https://geti2p.net/en/docs/how/threat-model
EFF: How Tor Works
Tor is software that directs Internet traffic through a network of relay servers in order to conceal the source and destination of the traffic. It allows for the anonymous sharing of information over the Internet, and can be used to circumvent Internet censorship (TOR01). Tor also enables the creation of hidden services, which hide the locations of people who publish content or run servers (TOR02).
Tor can be used by software developers to create new communication tools with built-in privacy features (TOR01).
Tor is a volunteer network of computers, known as relays or nodes. These nodes receive traffic and forward it to other nodes so that it will eventually go to its final destination. Tor can be used to browse the web anonymously using the Tor Browser, a modified version of the Mozilla Firefox web browser. Opening the browser automatically connects to the Tor network (EFF01). The network is used by a variety of people who want to maintain their anonymity. It is regularly used by journalists, activists and whistleblowers (TOR05).
The NSA attacked the Tor network through its programme EGOTISTICAL GIRAFFE (GUA01). The programme exploited a bug in the web browser to de-anonymise Tor users (MOZ01, SCH01). The bug has since been fixed.
Electronic Frontier Foundation (EFF)
1) https://www.eff.org/torchallenge/what-is-tor.html
Guardian (GUA)
1) http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document
Dingledine, R., Mathewson, N., Syverson, P. (DIN)
1) Tor: The Second-Generation Onion Router. 2004. https://svn.torproject.org/svn/projects/design-paper/tor-design.pdf
Manils, P., Abdelberri, C., Le Blond, S., Kaafar, M., Castelluccia, C., Legout, A., Dabbous, W. (MAN)
1) Compromising Tor Anonymity Exploiting P2P Information Leakage. 2010. http://cryptome.org/2013/04/tor-p2p-compromise.pdf
Mozilla (MOZ)
1) https://blog.mozilla.org/jorendorff/2013/12/06/how-egotisticalgiraffe-was-fixed/
Schneier on Security (SCH)
1) https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html
TAILS (TAI)
1)https://tails.boum.org/doc/about/warning/index.en.html
Tor Project (TOR)
1) https://www.torproject.org/about/overview.html.en
2) https://www.torproject.org/docs/hidden-services.html.en
3) https://blog.torproject.org/category/tags/traffic-confirmation
4) https://www.torproject.org/docs/faq-abuse.html
5) https://www.torproject.org/about/torusers.html.en
The Freenet logo
Freenet is a peer-to-peer platform designed to enable the anonymous publishing and retrieval of information, in order to counter the censorship of information on the Internet (FRE01).
Freenet is not a proxy for accessing the Internet anonymously; it allows access only to content that has been inserted into the Freenet network. It is not an application, but rather an application-neutral, anonymous transport layer that many different applications can use (FEH01). Users of these applications can publish and view websites, download files, use email and bulletin board systems, and other things that can be done on the Internet. In this respect, Freenet is similar to Tor’s hidden services. Freenet can be thought of as an anonymous Internet within the Internet.
Freenet is an overlay network that is constructed on top of the Internet. It was created to mitigate censorship and to facilitate the free flow of information and freedom of speech. A driving factor for developing the platform is that “you cannot have freedom of speech without the option to remain anonymous” (FRE02).
Freenet (FRE)
1) https://freenetproject.org/whatis.html
2) https://freenetproject.org/philosophy.html
3) https://freenetproject.org/faq.html
Freenet Help (FEH)
1) http://www.freenethelp.org/html/FreenetForDummies.html