[messaging] Tor Hidden Services in (Cables, SMTorP, Pond)

[Bjarni Runar Einarsson]

Hey Trevor, everyone,

Thanks for taking a look at SMTorP!

The points you raised in your previous mail are quite valid - real-time
p2p communication has very different properties from store-and-forward
based systems and is vulnerable to different classes of attacks and
different types of abuse.

For some users, real-time direct delivery of messages may leak too much
information. It may also be too unreliable, if schedules don't match and
people aren't online at the same time often enough for the message
exchange to actually take place.

However, for many the opposite is true. If you are not concerned with
anonymity and are more or less always online, then the fact that your
Tor hidden service is reachable leaks no information and you reap quite
measurable benefits from being able to cut out all the middle-men who
might listen in, mis-classify as spam, arbitrarily delay or otherwise
interfere with your mail. Today sending e-mail is a like a lottery with
very good odds - usually you win, and usually the message delivered. But
not always, and when you lose there is no feedback at all. Mail just
disappears, thanks to spam filters everywhere. If we can address that
problem and improve security at the same time, then we've improved
e-mail quite significantly.

I think the fact that we are using Tor and Tor hidden services for this
sometimes confuses people, as it leads to the assumption that anonymity
must be one of our primary goals. But that is not actually the case.
SMTorP is primarily focused on decentralization and establishing secure
and private channels over which users exchange normal, non-anonymous,
e-mail. Just like with regular e-mail, if used carefully, anonymity may
be achieved, but that isn't our main goal here.

I am quite excited about SMTorP, because although it is not perfect, it
is very easy to implement and deploy and it can be configured for both
scenarios - p2p or store-and-forward. So if you need anonymity or high
availability, you use a shared relay or even a sequence of relays. If
you want to be sure that you are communicating directly without any
middle-man, you run the hidden service yourself.

My greatest concern about the p2p mode of SMTorP is actually the classic
sysadmin concern that an exposed service is more vulnerable to direct
attacks - if you run a Tor hidden service then people can connect to
that and try to break it. Who needs timing attacks, if they can just
'sploit your Mailpile's built-in SMTP server and read all your mail?
But hey, fixing that is a mere matter of programming, right? ;-)

Cheers!
 - Bjarni