Check out the new USENIX Web site. next up previous
Next: ``Rubber-Hose cryptanalysis'' Up: Limitations and threats Previous: Denial of service attacks

Threats to publisher anonymity

Although Publius was designed as a tool for anonymous publishing there are several ways in which the identity of the publisher could be revealed. Obviously if the publisher leaves any sort of identifying information in the published file he is no longer anonymous. Publius does not anonymize all hyperlinks in a published HTML file. Therefore if a published HTML page contains hyperlinks back to the publisher's Web server then the publisher's anonymity could be in jeopardy. Publius by itself does not provide any sort of connection based anonymity. This means that an adversary eavesdropping on the network segment between the publisher and the Publius servers could determine the publisher's identity. If a server hosting Publius Content keeps a log of all incoming network connections then an adversary can simply examine the log to determine the publisher's IP address. To protect a publisher from these sort of attacks a connection based anonymity tool such as Crowds should be used in conjunction with Publius.

Avi Rubin
2000-06-13