Enhancement: Introduce a random time delay before sending out an email
alech opened this issue · 4 comments
In a setting where the application is not used very often, an attacker with the ability to do traffic analysis may be able to capture the IP of a whistleblower by correlating the fact that some accessed the website and the fact that soon after that a mail is sent out. Similarly as in anonymous remailers, a random time delay may help to counter this attack (the time delay should be based on the estimated access rates for the application and may be quite large for an application without much usage).
As I understand the submitter will not get an e-Mail (that would require him to enter an email address). Only the journalist will receive one.
@sebastianw True, but the fact itself that an email is sent out and some IP visited the site just before that (and possibly uploaded a few megabytes of documents, which can be easily spotted in traffic analysis) may be enough.
Come to think of it, it should be easy to spot submitters by the amount of traffic they make to the server quite easily. Maybe also introduce a random amount of upload traffic for non-submitters?
So.. decoy traffic might fit in here or how mix-networks like mixmaster work with delays for sending anonymous emails. I would not actually advise to use email for sending the published material. But make some login system where people could download the material from and investigate and decrypt the material at their laptops. But using something like mixmaster won't cut the deal here I think. Not a lot of people use the mixmaster network anymore. There are better alternatives these days like the Tor network for anonymous communication. I would advise to either do email over the Tor network and let mailservers connect over Tor hidden services OR completely ditch the email idea and go with an login system where people can also work in a collaborative way?
IMO sending out the material via email is one of the key design points of the application. if we keep the submitted material on the web server itself, it could be compromised.
also, if the attacker has full monitoring abilities of the briefkasten server itself (as opposed to just the submitters network) there will always be information leakage, no matter what.
note, that the submitter never gets any email, so none of the above could be noticed by the attacker (unless he has access to the network the server runs on)
feel free to disagree and re-open but i'm closing this for now.