Next: ``Rubber-Hose cryptanalysis''
Up: Limitations and threats
Previous: Denial of service attacks
Although Publius was designed as a tool for anonymous
publishing there are several ways in which the identity
of the publisher could be revealed.
Obviously if the publisher leaves any sort of identifying
information in the published file he
is no longer anonymous. Publius does not
anonymize all hyperlinks in a published HTML file. Therefore if
a published HTML page contains hyperlinks back to the publisher's
Web server then the publisher's anonymity could be in jeopardy.
Publius by itself does not provide any sort of connection
based anonymity. This means that an adversary eavesdropping
on the network segment between the publisher and the Publius
servers could determine the publisher's identity. If a server
hosting Publius Content keeps a log of all incoming network connections
then an adversary can simply examine the log to determine
the publisher's IP address. To protect a publisher from
these sort of attacks a connection based anonymity tool such
as Crowds should be used in conjunction with Publius.
Avi Rubin
2000-06-13