Editing Anonymous remailer (section)

==Untraceable remailers==
If users accept the loss of two-way interaction, identity anonymity can be made more secure.

By not keeping any list of users and corresponding anonymizing labels for them, a remailer can ensure that any message that has been forwarded leaves no internal information behind that can later be used to break identity confidentiality. However, while being handled, messages remain vulnerable within the server (e.g., to [[Trojan horse (computing)|Trojan]] software in a compromised server, to a compromised server operator, or to mis-administration of the server), and [[traffic analysis]] comparison of traffic into and out of such a server can suggest quite a lot—far more than almost any would credit.

The [[Mixmaster anonymous remailer|Mixmaster]] strategy is designed to defeat such attacks, or at least to increase their cost (i.e., to 'attackers') beyond feasibility. If every message is passed through several servers (ideally in different legal and political jurisdictions), then attacks based on legal systems become considerably more difficult, if only because of '[[Carl von Clausewitz#Principal ideas|Clausewitz]]ian' friction among lawyers, courts, different statutes, organizational rivalries, legal systems, etc. And, since many different servers and server operators are involved, subversion of any (i.e., of either system or operator) becomes less effective also since no one (most likely) will be able to subvert the entire chain of remailers.

[[Random]] [[padding (cryptography)|padding]] of messages, random delays before forwarding, and encryption of forwarding information between forwarding remailers, increases the degree of difficulty for attackers still further as message size and timing can be largely eliminated as traffic analysis clues, and lack of easily readable forwarding information renders ineffective simple automated traffic analysis algorithms.