[Mailman-Developers] GSOC, Anonymous Lists

Pavan Koli pskoli93 at gmail.com
Mon Mar 16 04:32:12 CET 2015 

> >I have the same doubt.  You need to define "anonymous list".  In
> particular, specify who is, and who is not, supposed to be able to
>
>1.  See email addresses of subscribers.
> >2.  Figure out whether two posts are from the same person.
> as well whether you need to
> >3.  Ensure that subscribers' posts can't be spoofed.
>

These sites already are using anonymous lists
http://www.na.org.za/mailing-lists,
http://www.12stepforums.net/mailinglist.html,
http://www.e-aa.org/maillist.html.

>From the above I deduced that there can be three different use cases.

1. The list manager is a doctor, treating their patients. In this case
they'll be able to view patients e-mail ids. The e-mail ids will be mapped
to something like "anonymous_timestamp at domain". The list manager in this
case will have an interface where the anonymous ids will be listed along
with the real e-mail ids. This shall help them know whether two posts are
from the same patients or not. Also be able to communicate with patients,
if time arises.This list can be like an online support group where the list
manager is the doctor and the members are his patients.
Lists like http://www.12stepforums.net/mailinglist.html, will come under
that category.

2. The second use case can be when the list manager himself cannot be
trusted with the details, like suppose there is an online mailing list for
drug addicts to overcome their addiction, created by an ex-drug addict. But
we cannot trust our mail ids with this person, as we don't know clearly his
intentions. In this cases where the list manager cannot be trusted fully or
the list manager has no use, knowing my email id. Here the list manager
won't have any interface mapping anonymous ids with the original ids. But
can identify if two mails are by the same user or not by seeing the header-
From: anonymous id, on the two mails.
Lists like http://ottawana.org/, here members help each other, in such case
the list manager has no business knowing e-mail ids of members as he is not
offering any help, like the doctor in the previous case, so it would remain
hidden from him. But if someone tries to spam the mailing list, that person
can be caught by noting his anonymous id.

3.  I didn't come across a single mailing list for whistleblowers,
activists, or  people trading very sensitive information. Suppose there is
a group of whistleblowers and journalists, who are connected with this
mailing list. Obviously in this case the list manager won't be able to note
my real e-mail id, but can verify me using my public key(X.509
certificate), the mails in such cases would be regarding national
interests. Hence, there can be hacking attempts on the database or mail
spoofing attempts.

Hacking attempts can be made futile as the people registering for this
mailing list are definitely not going to register with their actual mail
ids, hence even if those stored mail ids are exposed. There is very less
chance of them getting caught.
Sites like (http://www.sendanonymousemail.net/, http://www.33mail.com/,
https://www.hushmail.com/) provide anonymous mail id creation.

Mail spoofing attempts can be stopped by encrypting mails, using PGP, but
there is one problem. The person encrypting the mail would have to share
their public key with everyone on the mailing list, which can be a tedious
task as the mailing lists keep on changing in size, and also mails can be
leaked if public key falls into wrong hands.

I've come up with a solution for this, these mailing lists will be kept in
a very different category from others. Here when ever a user will register,
they'll have to also provide their public key.
So now it will work in this way-
*User A will encrypt a message using his private key(PGP) and send on the
mailing list.

*On receiving a message, it will de decrypted by the public key provided
from the database.

*Now a sessions key will be generated, and it will be encrypted for
different users using their public keys. So suppose ABC is a sessions key
and user B, user C and user D are there. The sessions key will be encrypted
differently for different user using their public key.
(Although another way can be used is to encrypt the contents of the message
using the public keys of users, so every message will be encrypted
differently depending on the users public key. But in this situation there
can be a lot of time loss as the time taken would increase with the size of
the mailing list, but it can be implemented in cases where security is more
important than time, so it'll depend on further details like size of the
list)

*The message contents will be encrypted using the sessions keys to overcome
the time overhead associated as mentioned above.

*The users will first decrypt the sessions key using their private keys and
use it (session key) for decrypting the original message.

This can be thought as a safe method as people trying to spoof the messages
won't be able to do anything which is what I suppose.

Maintaining a mail archive or not will be the decision of the mailing list
managers.

This case doesn't necessarily apply to whistleblowers only, another use
case can be between police and secret informants. Informants can pass
messages through the mailing list.

Problem-  The list manager has to be authentic, using their public key list
subscribers can verify their authenticity(Or I propose a public key for the
list itself and then people can use it to verify lists authenticity).
Authenticity can be done using public key and using X.509 Certificate, more
info here- http://en.wikipedia.org/wiki/X.509.

Working of PGP key-
http://www.makeuseof.com/tag/pgp-me-pretty-good-privacy-explained/
Idea for sessions keys usage, also how to prevent identity spoofing-
http://en.wikipedia.org/wiki/GNU_Privacy_Guard#Process

The encrypting and decrypting can be implemented by putting appropriate
code in the pipelines process of the respective queues.

Sorry for such a long message, suggestion and criticism is welcome. I want
to know areas where this mailing list would fail, in its work of keeping
its members anonymous, should I go forward with creating a project proposal
with this Idea for GSoC?
-- 
Pavan Shankar Koli

GitHub- www.github.com/pkoli
Website- www.techjugaadcenter.me/pkoli

More information about the Mailman-Developers mailing list