wiki:doc/RemailingAndTor

Version 45 (modified by karsten, 6 years ago) (diff)

Name changed from TheOnionRouter/RemailingAndTor to doc/RemailingAndTor

Remailing

This How-To is intended to increase the security and anonymity of remailing with SMTP, M2N, HHTP/S Stats Updates and NNTP/S to the *highest* possible level.

In this How-To I detail the use of the remailer client QuickSilver; I use this example as QS is the client I use. Another excellent, free and open-source client is Jack B. Nymble 2 (Panta's Mod). I have not tested these routes on JBN2 Panta; however, JBN2 Panta should be able to use the routes I describe.

This How-To details:

  1. How to route your QS FTP Plugin downloads through QS > Tor > QS FTP Page
  1. How to route your Stats Updates (via. SSL [HTTPS]) though QS > Stunnel > Tor > Stats Updates
  1. How to force QS only use MixMaster (Type II) remailers in your 'Chain:' header
  1. How to route your SMTP & M2N messages (via. TLS) through QS > Stunnel > Tor > SMTP/M2N
  1. How to download NG messages (via. TLS) through QS > Stunnel > Tor > NNTPS
  1. How to route your SMTP & M2N messages (via. Hidden Services) through QS > Tor > Hidden Services > SMTP/M2N
  1. How to download NG messages (via. Hidden Services) through QS > Tor > Hidden Services > NNTP

This How-To is written in laymen's language; but it's not "dumbed down".

These instructions should work fine for any OS, but I have only tested them on Windows XPHome and 98se (don't worry, I'm not an average Windoze user ;-).

Tor, TLS, SMTP, M2N & NNTP/S

If you use remailers you can also use TLS and Tor to add additional layers of encryption and anonymity. There are only a few remailers that accept TLS connections and offer non-standard SMTP ports; my favorite is mail.bananasplit.info, another good one is panta-rhei.dyndns.org.

Functionality of remailer's mail servers can be checked at http://www.noreply.org/tls/ . Pay particular attention to the "TLS" column which indicates the type of ciphers that the mail server supports. In order to gain maximum benefit, try and pick ones that use 'Ephemeral' ciphers. Generally speaking these will begin with either "EDH" or "DHE". Also, try to ensure the remailer you choose has a "yes" in the column "2525".

I assume you have a working knowledge of MixMaster, Reliable, Cypherpunks, PGP (6.5.8.ckt 08), Stunnel, QuickSilver (or JBN2 Panta mod) and Tor.

All these programs and apps are free and open-source (except SocksCap). Some programs (like SocksCap) are OS specific; you'll need to find a Socks forwarding program for your OS.

With these configurations in place, use of QS and the remailer network should be completely masked; an advasary will be unable to tell your using the following protocols and programs. All this is possible via. Tor, the Onion Route Network 2, Hidden Services and TLS Ephemeral encryption.

The following traffic will be completly hidden from an adversary:

  • QS FTP Plugin Downloads
  • HTTPS Stats Updates
  • Incoming/outgoing mail (SMTP & M2N)
  • Mixmaster characteristics
  • Cypherpunks characteristics
  • Downloading on-topic NNTP/S NG messages (like a.a.m)

QS FTP Component Downloads

After you first install QS.exe (current release) you should use QS "Update Wizard" to download QS plugins (POP, PGP, NNTP, etc) and MixMaster.

You can use the route of QS > Tor > QS FTP Page to download QS plugins and MixMaster.

If you use this route an advasary won't know your accessing QS's FTP Page; all they can see is your using Tor and the Onion Route Network 2. There is no indication your using an remail client or that your accessing the FTP page and downloading plugins, updates and MixMaster.

Start QS > Help > Update Wizard > Proxy:

Proxy Host: 127.0.0.1
Proxy Port: 9050
Socks Level: 4a

Click "Next" to access the QS FTP page.
Highlight the .exe, .sig or .txt files you want to download via. QS > Tor > QS FTP and click "Next".

After you download a file re-access the QS FTP as per above and choose your next download.

QS HTTPS Remailer Statistics & Keyring Updates

You can configure QS to access remailer Stats Pages via. SSL (HTTPS) and Tor. In this example I use Banana's HTTPS Stats Page; Panta also offers an SSL (HTTPS) Stats Page. These Stats Pages are accessed via. QS > Stunnel > Tor > Stats Page.

These settings will route Stats Update traffic via. SSL (HTTPS) and Tor from Banana's HHTPS Stats Page to you; alternatively you could use Panta's SSL (HHTPS) Stats Page.

If you use QS, Stunnel and Tor to access Banana's Stats Page (echolot) via. an SSL (HTTPS) connection your Stats downloads will be totally anonymous. An adversary would have no idea your accessing the Stats Page or that you use Mixmaster or the remailing network.

Start QS > Tools > Remailers > Proxy:

Proxy Host: 127.0.0.1
Port: 4430
Socks Level: <none> 

Copy and paste the follwing URL's into the appropriate Stats URL Pages in the QS URL Manager. Then, double click on the new Banana "echolot" Stats URLs in each Stats Page to bring the new Banana URLs to the top of each list:

Start QS > Tools > Remailers > URL Manager:

Mix List: http://localhost:4430/echolot/mlist.txt
Mix Keys: http://localhost:4430/echolot/pubring.mix
Mix Type II: http://localhost:4430/echolot/type2.list
Cpunk List: http://localhost:4430/echolot/rlist.txt
Cpunk Keys: http://localhost:4430/echolot/pgp-all.asc 

After you click "OK" QS will bring up the "Statistics & Keyrings" window. Ensure the 'echolot' URL's you just entered are in the appropriate text bars (e.x. mlist.txt, rlist.txt, etc).

In the "Statistics & Keyrings" window check the following boxes:

mlist.txt [http://localhost:4430/echolot/mlist.txt]

rlist.txt [http://localhost:4430/echolot/rlist.txt]

Error Check (this disables Type2.list) 

The box Type2.list should be unavailable; Type2.list isn't necessary with QS, Richard created Type1.list to better serve QS's preferred use of Type II MixMaster remailers. Type1.list is a bit easier to read and allows QS to seamlessly use MixMaster remailers.

The boxes "Pubring.txt" and "Pubring.asc" don't need to checked as QS automaticaly updates these Stats with the first Stat Update each day.

Note: You can also download Statistics Updates via. Hidden Services offered by Panta; see section 1.2.1 "QS Hidden Services HTTP Remailer Statistics & Keyring Updates" for a detailed How-To.

I have noticed when I Update Stats via. Panta's Hidden Services there is a conciderable difference in the rlist and mlist Stats vs. Banana's TLS echolot Stats Pages.

For example, there are more remailer and config keys when Updating CypherPunk (Type I; rlist.txt) Stats via. Panta's Hidden Services then Updating CypherPunk Stats via. Bananan's TLS echolot Stats Pages.

Also, when Updating MixMaster (Type II; mlist.txt) Stats via. Panta's Hidden Services the "Broken type-I remailer chains:" and "Broken type-II remailer chains:" sections are missing. Only the "Last update: mixmaster history latency uptime" section is available.

Type I DSS and RSA Issues

This section isn't directly related to TLS or Tor; but this is an important remailing security issue and I didn't think it was too far off-topic.

This section covers the use and security issues of CypherPunks (Type I) and MixMaster (Type II) remailers.

Note: QuckSilver's *only* use of CypherPunk (Type I) remailers is for Nym config keys and reply block remailers.

If you use hard coded or random remailers in your header 'Chain:' QS will by default use MixMaster (Type II) remailers.

QS will not use CypherPunk remailers in the header 'Chain:' unless specified.

DSS and RSA

You can create your PGP NymKey with the DSS algorythm and select DSS capable Type I NymServers and DSS capable Type I ESUB remailers for use in your reply block.

Type II remailers (MixMaster) offer DSS keys which will be automatically selected and used in the header 'Chain:'.

Note: It is possible to create and remail with a PGP NymKey using the DSS algorythm and an 'encryption key' bit size of 4096, 'signing key' bit size of 1024.

'Disable Key' DSS & RSA Type I Keys

Another option that can increase your security is to use the "Disable Key" option on certain CypherPunk remailer keys.

If you created your PGP NymKey with the DSS algorythm then select Type I NymServers and Type I reply block ESUB remailers that offer DSS keys.

You can then use the 'Disable Key' option on all RSA remailer keys in the CypherPunk Keyring to ensure QS only uses DSS CypherPunk remailers.

Or, if you prefer RSA you can use the 'Disable Key' option on all DSS keys to achieve CypherPunk RSA algorythm use.

Type II Exit Remailer

For increased reliability and control you can select a Type II remailer to use as a hard coded Exit remailer in your header 'Chain:'.

When choosing your hard coded Exit remailer read the "cap codes" of each remailer listed in the MixMaster keyring.

Attempt to choose a Type II remailer with the following capabilities:

N = Posting to news
C = Compression
m = posting via. M2N gatway
p = posting via. local inews

Try to choose a remailer without this capability:

M = Middleman Only

Also, read the "mlist.txt" to enusure your choosing a remailer with very good "uptime" (100%) and quality "history".

Mlist.txt is located under View > mlist.txt.

Here is a sample message header with a Type II remailer hard coded as the Exit remailer in the header 'Chain:':

Chain: banana,*,*,starwars; copies=6
Reply Block, ESUB and A.A.M. Issues

I highly recommend the use of ESUB and a.a.m. in your reply block.

If you don't use ESUB and a.a.m. in your reply block this section doesn't apply to you.

To use 'Encrypt-Subject:' (ESUB) a single Type I ESUB capable remailer is required in your reply block. QS requires this ESUB remailer to ensure proper delivery of your ESUB messages to a.a.m.

Type I remailers are located on the Cypherpunks keyring; Type I remailers are only used for reply block ESUB messages and NymServer (config) Keys.

Your reply block route will look like this:

Message Origin > Your NymServer > ESUB Type I remailer > M2N > a.a.m. (ESUB message).

When chooseing your hard coded reply block ESUB remailers read the "cap strings" of each remailer listed in the CypherPunks keyring by accessing "rlist.txt".

If you created your PGP Nymkey with the DSS algorythm select reply block ESUB remailers that offer DSS keys.

Also, read the rlist.txt enusure your choosing remailers with very good "uptime" (100%) and quality "history". Rlist.txt is located under View > rlist.txt.

Attempt to choose Type I remailers with the following capabilities:

pgp
mix
cpunk
esub 
ek  
latent

Try to choose a remailer without this capability:

middle

Here is a sample reply block with an ESUB remailer to a.a.m.; don't use these Encrypt-Key: and Encrypt-Subject: passcodes.

Reply-Block:                                               
  Anon-To: austria
  Encrypt-Key: cvxbdsfgasfbg
austria
  Anon-To: mail2news_munge@bananasplit.info
  Encrypt-Subject: asdfxbv2q346h
  Encrypt-Key: asdfbv34dfbgfdg
  Newsgroups: alt.anonymous.messages
  Subject: What you want
mail2news_munge@bananasplit.info 

QS New Message Window Proxy & TLS Settings

This section of the How-To describes the configuration of QS new message headers, templates and proxies.

QS New Message Proxy Settings

When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; disable it.

Start QS > header create/ message send window > uncheck the "use Proxy" box
QS New Message TLS SMTP Template

This template will route QS traffic as so:

QS > Stunnel (via. Sockscap) > Tor (via. port 2525) > Tor Entry Node > Tor Middleman Node > Tor Exit Node > mail.bananasplit.info (Entry Remailer & Host) > Random Middleman Remailer > Ramdom Middleman Remailer > itlay (Exit Remailer) > reciepent. 

This route completly anonymizes your use of the remailer network; an advasary will have no idea your using SMTP, M2N, NNTPS, MixMaster, CypherPunk, etc.

Copy and paste this into the headers section of the send mail window:

Host: 127.0.0.1:2525
From: your nym here@your.nym.server.here
From: your nym here
Chain: banana,*,*,italy; copies=6
To: 
Subject: 

You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.

QS New Message TLS SMTP, M2N Template

This template will route traffic to Usenet via. the route described above then on though Banana's M2N gateways.

Copy and paste this into the headers section of the send mail window:

Host: 127.0.0.1:2525
From: your nym here@your.nym.server.here
From: your nym here
Chain: banana,*,*,italy; copies=6
To: mail2news_munge@bananasplit.info, mail2news@bananasplit.info, mail2news@anon.lcs.mit.edu
X-Hashcash: You need Banana's HashCash Token to post via. M2N.
X-No-Archive: Yes
Newsgroups:
References:
Subject: 

Note: Make sure to un-wrap the header "To: mail2news_munge@bananasplit..., mail2news@bananasplit..., mail2news@anon...".

You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.

You need to add a Banana HashCash Token to use Banana M2N; get HashCash here: http://www.panta-rhei.dyndns.org/downloads/

Configure Stunnel

This template will accecpt QS traffic via. LocalHost (127.0.0.1) on Port 2525 (SMTP & M2N), Port 119 (NNTPS) or Port 4430 (HHTPS) and uses Zax's bananasplit.info as the TLS host.

This template will work for:

  1. Sending TLS SMTP

  1. Sending TLS SMTP M2N
  1. Downloading Stats data via. TLS (HTTPS)
  1. Downloading NNTPS on-topic NG messages via. TLS.

Copy and paste this into your Stunnel .conf file:

debug = 7
CAfile = banana.pem
output = log.txt
client = yes
options = all
RNDbytes =  2048
RNDfile = bananarand.bin
RNDoverwrite = yes
#
[BANANA_TLS_SMTP]
protocol = smtp
accept  = 2525
connect = mail.bananasplit.info:2525
delay = no   
#
[BANANA_NNTPS_GROUPS]
accept = 119
connect = news.bananasplit.info:5563
delay = no
#
[BANANA_HTTPS_STATS]
accept = 4430
connect = pinger.bananasplit.info:443
delay = no 

Configure SocksCap

SocksCap will route traffic from Stunnel into Tor using Socks5.

Import the address of Stunnel.exe shortcut into SocksCap; then when you want to use Stunnel click "Run Socksified".

Start SocksCap > File > Setup >

Socks Sever: 127.0.0.1
Port: 9050
Protocol: Socks5
Name Resolution: Resolve all names remotely 

Configure Tor

Upgrade to current stable (or test) release; default setup.

Downloading NNTPS NG Messages

You can also setup QS to download on-topic messages from news.bananasplit.info (NNTPS) via. QS > Stunnel > Tor > NNTPS.

All the settings that are requred you have already configured; all you need to do is configure the QSNews Plugin (NNTP).

QS NNTP Account Manager Setup
Start QS > Tools > News Accounts > 

New > News Server > 127.0.0.1
News Groups and Subjects > On-topic groups; use Esub for a.a.m 
Check the box "Download All" 
Start QS > Tools > News Accounts > Proxy >

Proxy Server: 127.0.0.1
Proxy Port: No Port
Socks Level: 5

Tor Hidden Services: SMTP, M2N, HTTP Stats & NNTP

Panta offers Hidden Services for HTTP Stats Updates and remailing via. SMTP, M2N and downloading on-topic security and anonymity NNTP NG messages.

You can access Panta's Hidden Services website via. this url: http://rjgcfnw4sd2jaqfu.onion/ .

Remailing with SMTP, M2N; downloading NNTP NG messages and downloading HHTP Stats Updates via. Hidden Services prevents an advasary from knowing you use these protocols. I am not sure if this more secure than using TLS but it seems more anonymous to me.

Another advantage to using Hidden Services is they resist D.D.S. and D.O.S. attacts; as does the MixMaster network to a certain extent.

At the time of writing (05-18-05) only Tor 0.1.x.x (test versions) are capable of routing SMTP, M2N, HTTP Stats and NNTP traffic via. Hidden Services. I have been unable to use Tor 0.0.9.x.x for SMTP, M2N, HHTP Stats Updates and NNTP NG downloads via. Hidden Services.

The 0.1.x.x test versions of Tor provide better Dir Support, Hidden Services support, etc. I am currently using the latest test release 0.1.0.7-rc; as this release provides the best Hidden Services support and fixes some bugs in prior 0.1.x.x test releases.

Note: Occasionally when using Panta's Hidden Services for Updating Statistics, remailing with SMTP and M2N or downloading NNTP NG messages QS times-out or you may recieve some error message; this is most likly due to a Tor node issue.

In this case wait 2 minutes then retry sending your SMTP, M2N, or downloading HTTP Stats and NG messages. Every 60 seconds or so of inactivity Tor creates a new Onion Route which should allow you access to the Hidden Services.

If after this you still can't gain access to the Hidden Services shutdown and restart Tor then QS & QSNews and try again.

QS Hidden Services HTTP Remailer Statistics & Keyring Updates

You can configure QS to access remailer Stats Pages via. Panta's Hidden Services. These Stats Pages are accessed via. QS > Tor > Hidden Services > Stats Page. If you use QS, Tor and Panta's Hidden Services to Update Stats your connection will be totally anonymous. An advasary would have no idea your accessing the Stats Page or that you use Mixmaster or the remailing network.

Start QS > Tools > Remailers > Proxy:

Proxy Host: 127.0.0.1
Port: 9050
Socks Level: 4a 

Copy and paste the follwing URL's into the appropriate Stats URL Pages in the QS URL Manager. Then, double click on the new Panta Hidden Services Stats URLs in each Stats Page to bring the new Panta URLs to the top of each list:

Start QS > Tools > Remailers > URL Manager:

Mix List: http://rjgcfnw4sd2jaqfu.onion/stats/stats/mlist.txt
Mix Keys: http://rjgcfnw4sd2jaqfu.onion/stats/pubring.mix
Mix Type II: http://rjgcfnw4sd2jaqfu.onion/stats/type2.list 
Cpunk List: http://rjgcfnw4sd2jaqfu.onion/stats/stats/rlist.txt
Cpunk Keys: http://rjgcfnw4sd2jaqfu.onion/stats/allkeys.txt

After you click "OK" QS will bring up the "Statistics & Keyrings" window. Ensure Panta's URL's you just entered are in the appropriate text bars (e.x. mlist.txt, rlist.txt, etc).

In the "Statistics & Keyrings" window check the following boxes:

mlist.txt [http://rjgcfnw4sd2jaqfu.onion/stats/stats/mlist.txt]

rlist.txt [http://rjgcfnw4sd2jaqfu.onion/stats/stats/rlist.txt]

Error Check (this disables Type2.list) 

The box Type2.list should be unavailable; Type2.list isn't necessary with QS, Richard created Type1.list to better serve QS's preferred use of Type II MixMaster remailers. Type1.list is a bit easier to read and allows QS to seamlessly use MixMaster remailers.

The boxes "Pubring.txt" and "Pubring.asc" don't need to checked as QS automatically updates these Stats with the first Stat Update each day.

Note: I have noticed when I Update Stats via. Panta's Hidden Services there is a considerable difference in the rlist and mlist Stats vs. Banana's TLS echolot Stats Pages.

For example, there are more remailer and config keys when Updating CypherPunk (Type I; rlist.txt) Stats via. Panta's Hidden Services then Updating CypherPunk Stats via. Bananan's TLS echolot Stats Pages.

Also, when Updating MixMaster (Type II; mlist.txt) Stats via. Panta's Hidden Services the "Broken type-I remailer chains:" and "Broken type-II remailer chains:" sections are missing. Only the "Last update: mixmaster history latency uptime" section is available.

QS New Message Window Hidden Services Settings

This section detials the configuration of QS so you can send SMTP, M2N and download on-topic NNTP NG messages through Tor Hidden Services.

QS New Message Header Proxy Settings

When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; enable it.

Start QS > header create/message send window > check the "use Proxy" box >

Proxy: 127.0.0.1
Port:9050
Socks Level: 4a
Check the use Tor box 
QS New Message SMTP Hidden Services Template

This template will route SMTP traffic through Panta's Hidden Services then on to your reciepent.

Copy and paste this into the headers section of the send mail window:

Host: rjgcfnw4sd2jaqfu.onion
From: foo@bar.com <your nym here@your.nym.server.here>
From: your nym here
Chain: panta,*,*,italy; copies=6
To: 
Subject: 

You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Services.

Note: I have noticed when sending SMTP via. Panta's Hidden Services my recipients receive 2 or more duplicate messages. I'm not sure why this happens; you may want to lower your "copies=" paramiter from "copies=6" to "copies=3".

QS New Message SMTP M2N Hidden Services Template

This template will route traffic to Usenet (NNTP) via. the route described above then on though Panta's M2N gateways.

Copy and paste this into the headers section of the send mail window:

Host: rjgcfnw4sd2jaqfu.onion
From: foo@bar.com <your nym here@your.nym.server.here>
From: your nym here
Chain: panta,*,*,italy; copies=6
To: mail2news-hashcash@panta-rhei.dyndns.org, mail2news-hashcash_nospam@panta-rhei.dyndns.org, mail2news@anon.lcs.mit.edu
X-Hashcash: You need Panta's HashCash Token to post via. M2N.
X-No-Archive: Yes
Newsgroups:
References:
Subject: 

Note: Make sure to un-wrap the header "To: mail2news-hashcash@panta..., mail2news-hashcash_nospam@panta, mail2news@anon...".

You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Services.

You need to add a Panta HashCash Token to use Panta M2N; get HashCash here: http://www.panta-rhei.dyndns.org/downloads/

Configure Tor

Upgrade to current test release (at present 0.1.0.7-rc); default setup.

Note: If you don't plan on using Tor Hidden Services for SMTP, M2N, HHTP Stats Updates or NNTP NG's downloads you can use the latest stable Tor release. If you want to use Hidden Services you should upgrade to Tor 0.1.0.7-rc (current test release as of 05-18-05); this test relese allows QS the best access Hidden Services.

Downloading Hidden Services NNTP NG Messages

You can also setup QS to download on-topic NNTP NG messages from Panta's Hidden Services NNTP protal: rjgcfnw4sd2jaqfu.onion via. QS > Tor > Hidden Services > NNTP NG's.

All the settings that are requred you have already configured; all you need to do is configure the QSNews Plugin (NNTP Account Manager).

QSNews NNTP Account Manager Setup
Start QS > Tools > News Accounts > 

New > News Server > rjgcfnw4sd2jaqfu.onion
News Groups and Subjects > On-topic groups; use Esub for a.a.m 
Check the box "Download All"  
Start QS > Tools > News Accounts > Proxy >

Proxy Server: 127.0.0.1
Proxy Port: 9050
Socks Level: 4a 

Hidden Services End Notes

  1. Banana also offers SMTP, M2N and NNTP via. Tor Hidden Services. ZAX's Hidden Services are down right now but he's getting them up soon.

As far as I understand you can post and download though Banana'a Hidden Services SMTP, M2N and NNTP portals.

  1. Don't have Stunnel running in system tray when your using Hidden Services and QS; this causes QS to lock and give me "unable to wipe" error message; requiring hard restart of QS.

Onion Routing and Hidden Services Security & Anonymity Issues

Multiple Calls

At the present time Tor *does not* support multiple calls on different Onion Routes.

This is an anonymity issue because the use of multiple calls on the same Onion Route exposes you more 'traffic anylasis via. meta data'.

You should try to avoid using mutilple calls when using Tor and remailing to limit the meta data you transmit.

The old Zero-knowledge Freedom Network was capable of supporting multiple calls on different proxy chain routes. The old Freedom network did not use Onion Routing and did not support SMTP, M2N, NNTP, etc.

Example A:

If you are downloading NNTP NG messages from Panta's Hidden Services and at the same time your reading alt.privacy.anon-server via. HTTP/S both of these protocols will use the same Onion Route.

Example B:

If you are surfing (HHTP/S) with your browser's "muti-tab" function; both tab's HTTP/S calls will use the same Onion Route.

Tor Rendezvous Node

The rendezvous node of the Tor network is where you and the Panta or Banana Hidden Services meet, I believe the rendezvous node should be verified; by default it is unverified.

It is possible this tweak may decrease the overall anonymity of the Tor network. I don't think that by forcing Tor to use verified rendezvous nodes it's anonymity will weaken; as this tweak only slighlty decreases the selection and number of nodes.

It may be wise to *not* apply this tweak at this time. I am not an expert on Tor or Onion Routing so I can't say if this tweak should positivly be applied or not.

I would like an experts opinion on this matter, please and thank you.<<

Rendezvous node tweak:

  1. Open Torrc file
  2. find the section "client options"
  3. find the line labeled "AllowUnverifiedNodes middle,rendezvous"
  4. delete this ",rendezvous"
  5. save file and close
  6. restart Tor

Now the rendezvous node must have it's PGP sig and Tor fingerprint w/valid email on file with the Tor network (DirPort).

EHLO Answer

There is a *large* anonymity hole in the use of remailers and Tor Hidden Services. When you use SMTP and M2N on Tor's Hidden Services your real Host and IP can be leaked via. the EHLO answer to the Tor Introduction Points server, OR and Rendezvous Point node.

QS spoofs the EHLO answer (as does JBN2 Panta mod) so your Host and IP are secure.

Everyday Use

Your done! Now to use the monster you created...

Tor and TLS Stats Page

  1. Start QS
  1. Start Tor
  1. Start SocksCap
  1. Start Stunnel via. SocksCap
  1. Select Banana's TLS echolot Stats Page URL's in QS URL Manager
  1. QS > Tools > Remailers > Update

Tor, TLS, SMTP and M2N

  1. Start QS
  1. Start Tor
  1. Start SocksCap
  1. Start Stunnel via. SockCap
  1. Use either template for TLS SMTP or M2N

Tor, TLS and NNTPS NG Downloads

  1. Start QS
  1. Start Tor
  1. Start SocksCap
  1. Start Stunnel via. SockCap
  1. Start QS News Pluging
  1. Select News Account for "127.0.0.1"
  1. Start downloading messages

Tor Hidden Services Stats Page

  1. Start QS
  1. Start Tor
  1. Select Panta's Hidden Services Stats Page URL's in QS URL Manager
  1. QS > Tools > Remailers > Update

Tor Hidden Services SMTP and M2N

  1. Start QS
  1. Start Tor
  1. Use either template for Hidden Service SMTP or M2N

Tor Hidden Services NNTP NG Downloads

  1. Start QS
  1. Start Tor
  1. Start QS News Plugin
  1. Select News Account for "rjgcfnw4sd2jaqfu.onion"
  1. Start downloading messages

Further Reading

Panta Hidden Services info & JBN/Tor:

http://www.panta-rhei.dyndns.org/pantawiki/HowToJbnAndTor

Panta's website:

http://www.panta-rhei.dyndns.org/

Panta's Hidden Servies website:

http://rjgcfnw4sd2jaqfu.onion/

Banana's website:

http://www.bananasplit.info/

Banana's TLS/SSL SMTP webpage:

http://www.bananasplit.info/mailtls.html

Banana's Stunnel How-To webpage:

http://www.bananasplit.info/stunnel.html

TLS@noreply:

http://www.noreply.org/tls/

QS website:

http://www.quicksilvermail.net/

In A Perfect World…

...SocksCap speaks Socks4a, both Panta and Banana offer NNTPS and SMTP/M2N(TLS) via. Tor Hidden Services on port 563 & 2525 (or other ports).

This way we could route our SMTP/M2N(TLS) and NNTPS traffic through QS > Stunnel > Tor > Hidden Servies > SMTP/M2N(TLS) and NNTPS.

Thus, having an encrypted Ephemeral TLS route through Tor Hidden Services without an advasary knowing were using anything but Tor and the Onion Route network 2.

I don't know if this is possible as Hidden Services may not allow a Stunnel (TLS) forward:

#[PANTA_TLS_SMTP_HIDDEN_SERVICES]
#accept = 2525
#connect = rjgcfnw4sd2jaqfu.onion:2525
#delay = no

Or something of that nature...

Credits

Contributing Authors

  • HereHere
  • Steve Crook
  • PeterPalfrader

Thanks and Respect

Thanks to all those past and present who have taught, created, tested and used open-source privacy related software.

Without your help and time none of this would be possible...

alt.privacy.anon-server

  • Remops
  • Regulars

Programmers and Code Writers

  • QuickSilver (Thanks Richard)
  • JBN2 Panta Mod (Thanks Panta)
  • Reliable Panta Mod (Thanks Panta)
  • MixMaster (Thanks IIRC Disastry)
  • CypherPunk (Thanks RProcess)
  • PGP (Thanks Phillip and Imad)
  • Tor & Onion Route 2 (Thanks Nick, Adam, EFF.org, et alia)
  • Stunnel
  • Echolot (Thanks PeterPalfrader)