Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com> wrote ..
From: Elric Pedder <elric(_at_)novitraq(_dot_)com>
...
If only a hash of the triplet were stored, would this solve
the privacy issue?
No. Consider a "dictionary attack." If you have a copy of the database
and want to know if Steve Case sent Bill Gates a message, you hash
those two addresses with a likely IP address and see if you can get
a hit in the database. If you do not know the exact IP address, you
can guess it is one of a few thousand (or at most a billion) and make
the corresponding few thousand (or billion) probes of your copy of
the database. Like a dictionary attack on /etc/passwd, this attack
may not be quick, but it is effective.
I agree with Vernon's comments. Hashing the triplets would not "solve" the
privacy problem, for the reasons Vernon explains. But I do think it could
"reduce" the privacy problems, because a dictionary-like attack would be less
effective if you do not have any idea about who has sent e-mail to the person
whose greylist you are attacking. It would also make the greylist better
protected from a more casual attack -- for example, a colleague or family
member sneaking a quick peek at someone's greylist.
But, hashing the triplets would certainly not make all of the privacy problems
disappear. Indeed, even if one could come up with a hash that was resistant to
kind of attack Vernon details, the other information in the database could
reveal important personal information even without knowing who sent an e-mail.
For example, if you are trying to investigate whether person X made an initial
contact with person Y during a given period of time, Y's hashed greylist could
establish that someone contacted Y for the first time at a time specific (which
could be valuable even if you cannot determine whether the someone was X).
John