On Mar 18, 2015 10:25 PM, "Stephen J. Turnbull" <stephen@xemacs.org> wrote:
Sreyanth writes:
Hi Terri & others
I am Sreyantha Chary (you can call me Sreyanth), a current MBA student
at
IIM Ahmedabad. I have been a GSoC student for the past 2 years and would like to hack on Mailman this year.
I am interested in implementing the *anonymous *users feature and dashboards for admins/owners/mods
I have a few questions in mind about the anonymous users feature.
- Lets say a user A sends an email and it gets disguised as <foo>@<bar>. Should the user B who sends another anon email gets disguised as <foo>@<bar>?
No. Each user's "disguised address" (I think the term most used is "alias") needs to be different from other users. The real-id-to-alias mapping might be consistent for the whole site, only within a list or a thread, or even be regenerated per-post, depending on the use case. It might be an option, or you can pick one. There has been discussion of this on-list, see the archives.
So I was brainstorming on this and decided to use a consistent alias mapping for the whole site. Reasons being:
- If its not implemented this way, the same alias could mail many lists and threads even if its not the same user. There might be some response bias if the alias is of a well known person or if its a huge spamming alias.
- Regenerating per post isn't a good idea either, as people usually remember the aliases when they read an email. If the next day they dont find it, its a bad user experience.
Also, the list administrator would have an option of allowing or disallowing anonymous users on the list. like ahdjdunakdjs may not be easy to remember.
- Picking up a username might create chaos as people might go for offendable names which may cause ruckus on the list. Rarity may be, but still a possibility.
- So system generated aliases should be a good idea. But random aliases
- So the option could be to give the user an option to pick the username (in which case it has to pass certain rules. Like not be able to contain vulgarity, gender sensitivity or something similar. Admin could add to this list of words)
- If the user opts for a system based username, the system could generate nice dictionary based names. How feasible is it? - Will have to see. Need not be dict based, anything which can be easily memorized should do.
- In case there were anon emails earlier and the admin changes the setting to disallow anonymous emails now, the earlier emails would have their display aliases changed to Anonymous. This is because any admin can exploit the feature if we don't this as the real user could respond on the same thread and the anonymity mapping is known to the others. Especially since I am proposing to use consistent real-id-alias mapping, this is a good thing to do.
- How do we store the email mapping? The email identifier mapped to the user's email or list's subscriber id for that user?
That's a requirements issue that you should think about and tell us what you decide and why.
So I have decided to use a users email id for mapping instead of list's subscriber id to maintain consistent id-alias mapping throughout the site.
Are we looking at implementing an encryption/decryption algorithm here for additional security?
Depends on the threat model, that is, whose anonymity you want to protect from whom.
I want to protect the anonymity of the user who opted for being anonymous. At the same time, a simple exploit should not let anyone with access to the database know who is who. I dont think this is ideally possible as a few hours or days of network listening might eventually tell who is who. So to make this less straight forward I want to use AES as its fast and strong. Now where do we store the key? What are your thoughts?
Thanks Sreyanth