I2P-Bote Manual
1. Introduction
I2P-Bote
is an easy-to-use, highly anonymous secure e-mail application for
I2P. It is a serverless, fully decentralized system that
establishes/forms a peer-to-peer network built on top of
state-of-the-art low latency anonymizing network I2P; adding to it an
optional mixminion-like high-latency transport and thus avoiding the
shortcomings of low-latency networks.
Therefore, I2P-Bote makes full use of the anonymity provided by I2P, plus it generates its own anonymity by adding another anonymizing layer (overlay network).
This concept of layered anonymity is what makes I2P-Bote so flexible:
You can configure it to be extremely anonymous and slow or less anonymous but faster/more efficient. In any event, I2P-Bote always provides a very good anonymity for both, sender and receiver, as well as end-to-end encryption*.
I2P-Bote offers the option to make your communications even more anonymous, by enabling the high-latency mail routes – at cost of performance, however. Users that want their anonymous e-mails to arrive as quickly as possible, will want to disable the mail routes and use 'direct' sending through I2P. It is guaranteed that you will never be less anonymous than the anonymity provided by standard I2P connections.
In order to achieve high usability, we have enabled it to be used with standard mail clients such as Thunderbird, Evolution or Kmail, without having to worry about what extra information these applications send in their headers. [YET TO BE IMPLEMENTED] Furthermore there is a web interface that lets you send and read e-mails or manage your settings and identities.
I2P-Bote is easy to use: If you're not yet using I2P, just install I2P from http://www.i2p2.de and then install the I2P-Bote plugin as described in this manual. Otherwise simply read on!**
Current
version is 0.2.5.
*Unless you send e-mails to or receive them from the regular internet, ALL emails – the mail body, attachments and the header except recipient's address (subject, date, time, sender address, ...) are automatically and transparently end-to-end encrypted. The recipient's address is only visible for the mail route's last node that stores the packets into the kad network, and the respective storing nodes, but they cannot read the mail's content nor who sent it nor who will fetch it.
**Of course you can also compile from source.
2. Howto
2.1. Installation
In order to install I2P-Bote, go to the bottom of the I2P Client Configuration page at
http://localhost:7657/configclients.jsp
and enter:
http://tjgidoycrw6s3guetge3kvrvynppqjmvqsosmtbmgqasa6vmsf6a.b32.i2p/i2pbote.xpi2p
( http://i2pbote.i2p/i2pbote.xpi2p might work, too, if you have i2pbote.i2p in your address book or a subscription )
in the “Plugin Installation Download Url” line, then hit “Install Plugin”. Wait until your sidebar says plugin installed and started.
In order to update your I2P-Bote instance, click 'Update' under I2P-Bote on the I2P Client Configuration page at http://localhost:7657/configclients.jsp
2.2. Using I2P-Bote
On your
router console http://127.0.0.1:7657/
click on SecureMail on the upper left (in the sidebar). Now you are
on I2P-Bote's web interface.
After starting I2P-Bote (by default it is set to start automatically when your I2P router starts up) it takes a bit more than three minutes for everything to be up and running.
So have a look at 'Network Status' on the left. It should state 'Connected'.
If you want to use I2P-Bote for yourself, you first need to create an identity.
2.2.1 Creating an Identity
Click on
'Identities' on the left, then hit the “New Identity” button.
Enter at least a 'Public Name' and hit 'Create'. That's all that's needed to create an identity.
The public name is the name you see for this identity (useful in case you have different identities for different sets of users you communicate with or different purposes) and it will be sent as “sender's name” to the mail's recipient. There is no need for Public Name to be unique.
(As you can choose any name here – anyone could call himself HungryHobo there – it is not suited to be used by the recipient for telling if two mails come from the same sender. This is why the name saved in the local addressbook (there can only by one name per destination key) is displayed, if there is any, and you will see a green mark in the “Know” column, stating it is the locally known name. If there is no entry for a destination in local addressbook, the name specified by the sender will be displayed with a prefixed [UNK] in the mail clients). [POP3 NOT YET IMPLEMENTED]
You can
also fill out the other fields, if you like:
Description – this field is kept locally. It's just for your convenience: If you want to add some additional information for yourself about that identity, you can enter it here.
Email
Address – this field is not used yet.
Choose
from one of the given encryption algorithms. If in doubt, stick to
the defaults.
You click
on the name of one of your identities and copy the long key displayed
under 'Email Destination'. This is your I2P-Bote e-mail address. If
you want anybody to be able to send you a bote mail, he need to be
given this long key.
Now you
can send and receive I2P-Bote mails.
But you should also have a look at your I2P-Bote settings and see if they fit your needs.
(You can also create various identities and assign different settings to each of them.)
2.2.2
Sending and Receiving E-Mails
You need to have the I2P-Bote e-mail destination key of the user you to whom you want to send a bote mail.
In order to send a message, click on 'New', choose your own sender identity or 'Anonymous' under “From” and enter the recipient's e-mail destination key or alternatively an address in the “To:” line.
Alternatively, you can hit the “Addr. Book” button right under this very line, in order to chose from e-mail dests stored locally in your address book: Mark the user(s) to which you want your mail to be sent and hit the “Add Recipients” button.)
You can add several recipients and change the 'To:' to 'CC:' or 'BCC:'.
The “+” button adds additional recipient lines.
Now write your bote mail and hit 'Send' for sending it, or 'Save' in order to store it as a draft into your 'drafts' folder or any user-defined folder. [not yet implemented]
Hitting “Send” will place your e-mail into the Outbox folder and you can go on using I2P-Bote, e.g. writing another e-mail, or simply do other things. I2P-Bote is now sending your e-mail. Once it is sent, it's automatically removed from Outbox and stored into your Sent folder. This means, your mail is entirely on the way to its destination (unless you have set a delay time, which is disabled by default).
In
I2P-Bote e-mails are automatically signed (unless send without any
sender identity).
You can
also send e-mails without specifying any sender
identity/destination/address, just select “Anonymous” in the
scroll-down menu “From:”.
In the
default settings I2P-Bote will automatically check for new mails, and
all you need to do in order to see if you got e-mails is look into
your Inbox (link 'Inbox' on the left).
You can
force a manual check by clicking the 'Check Mail' button. This is a
global checking, that tries to fetch new mails for all of your
identities, except for those you have excluded from global checking.
[not yet implemented]
The
number of unread e-mails is shown in parenthesis next to the folder's
name in the sidebar.
Click on “Inbox” to have a list of received e-mails displayed. You will see two columns with x's or green checks. Those show you if a mail contains a valid signature and is thus authentic (Sig) and if the sender's e-mail destination key is locally known, i.e. in your addressbook (Know). Hence, two green checks next to a mail entry mean that you already know that e-mail identity and that the mail is signed by that identity.
If you have a certain name in your address book and you get a mail from an identity with that name, yet Know is not displaying a green check, then it is a different destination that sent and signed this mail; he simply has chosen the same name you have chosen for one of your contacts.
Is there a green check mark for “Sig”, then the mail is correctly signed by the sender and you may add it to your addressbook under a different name, which now will be displayed as the sender.
Of course, a mail without sender destination (“Anonymous” is displayed as sender) will have two x's.
Clicking one of the e-mails displayed in your inbox will open the mail.
The same applies to all other folders.
(Due to
the distributed nature of I2P-Bote, sending as well as checking for
and retrieving e-mails takes a few minutes. With mail routes
activated respectively more. But you need not keep the browser open
for that, simply leave I2P-Bote running as a background process –
this is also benefits your anonymity)
2.2.3
Local Address Book
If you
have the I2P-Bote e-mail key from somebody you want to write to more
frequently, it is handy to store that key locally into your address
book (link on the left), specify a name of your own choosing for this
contact and paste his mail destination in the corresponding line,
then save.
You should normally save destinations to your addressbook, so that next time you get a mail from the same sender it will be shown to be from the same, locally known sender (“Loc” is checked) and a mail sent by someone else who is just using the same user name will be marked as NOT known locally (an x in web-UI's 'Know' column or [UNK] before the sender address in POP3), so you know it's a new/different one.
2.2.4
Settings (and what they mean)
Under
settings you can choose the I2P-Bote interface's language
(currently English or German) and decide whether even with a
non-English language setting everything that will be automatically
added to an e-mail when replying will nonetheless stay in English, so
that the recipient does not know your I2P-Bote is set to a different
language.
Otherwise the recipient could guess about your
nationality which would decrease your anonymity.
Here you can also adjust the interval for automatic checking of e-mails and decide whether or not to send any time stamp with your mails, indicating date and time when the mail was sent. The time stamps are always in UTC.
(When using mail routes, the timestamps are automatically disabled.) [not yet implemented]
automatic checking for e-mails:
For more comfort there is the “Check for mail every XX minutes“ option.
Here you can specify how often your I2P-Bote app should try to fetch unread mails for your identities. This can be set on a per-identity basis [not yet implemented]
If you specify a random offset, then it will not check _exactly_ every XX minutes, but rather every (XX+-offset*XX)minutes, i.e. after a randomly chosen time between (1-offset)XX minutes and (1+offset)XX minutes. [not yet implemented]
You can also totally disable the automatic checking for a given identity.
(If you are not sure about these settings, the defaults should be ok for you.)
Mail
routes are chains of I2P-Bote nodes acting as relays/routers for
other peers and obeying to per-hop delays, thus providing the
high-latency transport for increased anonymity.
You can specify the number of nodes (here called hops) that should be chained to form a mail route. Then each of the e-mail packets sent by the identity that has mail routes enabled will go through a mail route of n hops before being stored. You can set a delay for each hop individually, as no hop should know the time a packet will wait at the next hop, making the timing unpredictable. [individual per-hop and per-identity setting of delays not yet implemented]
As delay you can specify a time frame (e.g. 60-600 minutes) – then a random wait time between the two values will be chosen for the packet at that hop – or a fix time, then the packet will be forwarded at that fix time, e. g. noon UTC, no matter when it arrived. [fix time not yet implemented]
(When using mail routes, the timestamps are automatically disabled. [not yet implemented])
Under
“mÃnimo en el bote” (minimum threshold number of relay packets that
will be sent) you can specify a threshold. As your node can only act
reliably as a mix, if there are enough foreign packets to mix and to
blend own packets with, it will accumulate messages who's delay time
is over until reaching this lower limit. Only when it is surpassed,
your node starts sending them out in random order. [Not
yet implemented]
exclude identity from global checking [Not yet implemented]
If you enable this option for one of your identities, then this one will not be affected by the global manual checking for mails nor by any global automatic mail checking.
2.2.5 E-mails to and from the Internet [NOT YET FULLY IMPLEMENTED!]
In order
to be able to send bote mails to the internet and to receive e-mails
from the internet with your I2P-Bote application, you must first
register with an appropriate mail gateway. Currently there is only
one: postman.
1) First, go to:
http://hq.postman.i2p/?page_id=16 and
register an account. If you already have an account or if you have
just created one as described, proceed with #2.
2) For an
existing account you can add your I2P-Bote mail destination, so that
e-mails coming from the internet are forwarded to your I2P-Bote app.
To do so go to: http://hq.postman.i2p/?page_id=74
and provide the requested information.
Now all e-mails sent to that address (name@i2pmail.org from the outer internet or name@mail.i2p for mails from other postman subscribers) will be forwarded via the I2P-Bote network to your I2P-Bote app.
(N.B. When using the name@mail.i2p or name@i2pmail.org addresses instead of the long addresses, e-mails are no longer end-to-end encrypted. Therefore, it is recommended to exchange the I2P-Bote mail destination keys for communicating within the network. Postman has offered high quality services in I2P for quite a while already, but be aware that it's a centralized point that might go offline one day, or worse be taken over by an evildoer that will manipulate mails. As for network-internal e-mail communication, I2P-Bote makes sure that if you use the address keys, nobody can tamper with the mails you send or receive.)
If you
want not only to receive e-mails from the internet, but also enable
sending e-mails from I2P-Bote to the internet, you must provide your
I2P-Bote client with the gateway's mail destination key, so that your
I2P-Bote knows where to send those mails to.
You can
do this under “settings”. This
gateway will allow I2P-Bote users to communicate with the standard
e-mail users on the internet as well as with users of postman's
classical i2pmail service (@mail.i2p).
In order
to fight abuse, there will be a limitation of the number of e-mails
you can send out to the internet; just like for normal postman mail
service users: If an I2P-Bote user exceeds the quota with outgoing
e-mails, the additional e-mails will be sent back as bounce.
3. Considerations about Anonymity
Don't
send identifying information about you (name, address, geographic
location, time zone, age, websites you have just visited or blogged
about, user names, ip numbers, I2P router id, I2P-Bote id, social
security number, credit card number, …, copies of your passport,
driver's license, home rental contract, photos – nude or with
clothes –, documents that contain your username in author's
settings, and many many more)!
If
possible,
leave I2P-Bote running 24/7,
use mailroutes with randomized per-hop delays and/or per-hop fixed send times, [not yet fully implemented]
use a long check interval,
use a long local delay for own packets,
use a big check interval randomization. [not yet implemented]
You can
suppress the sending of date and time in the e-mails' header.
When you reply to an e-mail, certain markers, such as “Re: [subject of the mail you're replying to]” or “[username] wrote:”. Those are different for the languages you can chose from in your language settings. However, if you don't want the recipient to know what language you have set, you can suppress translation of these markers, so that they will be in English, no matter what you language setting is. In order to do so, mark “Use English for text added to outgoing email ('Re:', 'wrote:', etc.) “
Be
careful with the contents you send! Don't include personal
information or information that only you can possess. Don't write I'm
going to bed now, it's late when including time stamps.
The
language in which your write your e-mails, your style and
formulations can also be of interest for an attacker.
I2P-Bote
also offers the possibility to use different e-mail
identities.
Suppose one of you contacts learns about your
identity, as you forgot to erase identifying information in a secret
document you have sent to him. Now if this e-mail's recipient was to
collaborate with others you are in contact with, he could tell them
the real world identity belonging to the Bote address he knows from
you. Thusly, if you communicate with those others using the same Bote
address, they will know who you are.
Not so, if you used a
different address for sending mails to them.
4.
Technical Concept
I2P-Bote
is an end-to-end encrypted, network-internal, fully decentralized
(i.e. serverless) e-mail system. It supports different identities and
does not expose e-mail headers. Currently, it is still alpha software
and can only by accessed via web console. It soon will have POP3
support, and it is planned to guarantee additional anonymity by
providing a high-latency transport option. All bote-mails are
automatically end-to-end encrypted, so that there's no need to set up
extra e-mail encryption (though you can do that), and bote-mails will
be authenticated automatically. As it is decentralized, there is no
e-mail server that could link different e-mail identities as
communicating with each other (profiling): Even the nodes
relaying the mails will not know the sender and apart from sender and
receiver, only the end of the high-latency mail tunnel and the
storing nodes will know to whom (anonymous identity) the mail is
destined. The original sender can have gone offline, long before the
mail becomes available on the other side. This adds on the degree of
anonymity that can be reached with I2P-Bote. For those who do not
want high delays: All these settings are be user-adjustable, so each
user decides on how much anonymity he wants.
All nodes are created equal: There are no "supernodes" or designated relay/storage nodes. Everybody acts as a potential relay and storage node. The maximum amount of disk space used for relayed/stored email packets can be configured by the user.
Before an email is sent to a relay, it is broken up into packets and encrypted with the recipient's public key. These packets are stored redundantly in a distributed hash table (DHT).
They are kept for at least 100 days, during which the recipient can download them.
Relay packets also expire after 100 days or more.
If a node runs out of email storage space, and there are no old packets that can be deleted, the node refuses storage requests.
Furthermore, I2P-Bote sanitizes the mail headers and does not allow any unneeded information to be transmitted, thus allowing the use of e-mail clients without prior checks of what this client sends in the mail headers. [POP3 not yet implemented]
All the encryption, path choosing and profiling is done locally so that there is no trusted party involved.
Using I2P-Bote appropriately, that means keeping in mind the considerations given above and showing some common sense, nobody will be able to find out who or where you are. And if you are already being observed and your internet connection sniffed, the observer will not be able to find out what you send or receive or to whom you are sending to or receiving from or where your contacts are located.
Let's go
a bit more into detail:
What I2P-Bote does hide:
I2P-Bote
hides both, the identity and location of sender and receiver, as
well as those of intermediary nodes (relays and storing nodes), the
content of your mails, their size, the number of mails you send.
Only the recipient can know the sender's bote mail destination, and if he choses not to send his destination, not even the recipient will know it.
Even if you send time stamps, your time zone will not be disclosed.
Furthermore, I2P-Bote hides ...
- the fact that you run I2P-Bote
- the fact that you send a mail
- the fact that you receive a mail
and hence
- the time you send a mail
- the time you receive a mail
and
- the
upper limit of number of mails an unknown user receives, - nota bene:
an abstract
user, no concrete one, just concluding its
existence from the existence of the mail identity
- as he
could always have more than one e-mail identity; and the lower limit
as an
identity also sends out test and dummy messages
What I2P-Bote hides partially:
The
I2P-Bote address of the recipient will only be known to sender and
recipient(s).
In case of multiple recipients, each one will see all other recipients that the mail was addressed to via “To:” or “CC:”.
All entries that were under “BCC:” will only be visible to the sender and this very recipient.
The time an sent time will, if at all, only be visible to sender and recipient.
What
I2P-Bote can hide optionally:
- If
mail routes are use, the time a bote mail is sent
- If mail routes are used, the time a bote mail is fetched. [not yet implemented]
- If the
sender suppresses timestamps only the sender himself will know when
he sent a
mail.
What
I2P-Bote cannot hide:
I2P-Bote
cannot hide the frequency a given identity checks for new mails nor
the number of mails a given identity receives.
Not even
for bootstrapping I2P-Bote depends on a central node, as it uses
Seedless.
5 Terminology/Glossary of Terms:
I2P-Bote (router/node) id:
This is the id an I2P-Bote router is known as. It is used for contacting this router, for storing, relaying and fetching mails, but also used in the hop-to-hop encryption and for simply contacting it via I2P, as it is at the same the I2P-Bote router's I2P tunnel destination. It is displayed to represent an I2P-Bote node in the stats.
So the router id corresponds to the I2P destination (the address of an I2P-Bote node on the I2P network - there is no need to know it unless you are having problems connecting to other I2P-Bote nodes.)
I2P-Bote
e-mail destination:
The
I2P-Bote e-mail destination (key) is an identifier by which somebody
can be reached via I2P-Bote, so as the name states: an e-mail
destination. Thus it is for I2P-Bote what an e-mail address is for
standard e-mail system: The e-mail destination is the actual address
for sending e-mails, for storing them into and for fetching them from
the DHT.
At the same time it used for the end-to-end encryption
of e-mails, header information and attachments.
An I2P-Bote e-mail destination is a Base64 string containing a public encryption key and a signature verification key. Example:
uQtdwFHqbWHGyxZN8wChjWbCcgWrKuoBRNoziEpE8XDt8koHdJiskYXeUyq7JmpG
In8WKXY5LNue~62IXeZ-ppUYDdqi5V~9BZrcbpvgb5tjuu3ZRtHq9Vn6T9hOO1fa
FYZbK-FqHRiKm~lewFjSmfbBf1e6Fb~FLwQqUBTMtKYrRdO1d3xVIm2XXK83k1Da
-nufGASLaHJfsEkwMMDngg8uqRQmoj0THJb6vRfXzRw4qR5a0nj6dodeBfl2NgL9
HfOLInwrD67haJqjFJ8r~vVyOxRDJYFE8~f9b7k3N0YeyUK4RJSoiPXtTBLQ2RFQ
gOaKg4CuKHE0KCigBRU-Fhhc4weUzyU-g~rbTc2SWPlfvZ6n0voSvhvkZI9V52X3
SptDXk3fAEcwnC7lZzza6RNHurSMDMyOTmppAVz6BD8PB4o4RuWq7MQcnF9znElp
HX3Q10QdV3omVZJDNPxo-Wf~CpEd88C9ga4pS~QGIHSWtMPLFazeGeSHCnPzIRYD
I2P-Bote
router/node id and I2P-Bote e-mail destinations look similar, but are
completely independent of each other.
E-mail
address:
E-mail addresses in I2P-Bote are shortcuts for e-mail destinations.
The e-mail address <--> e-mail destination mappings are stored in two places: the local address book and the distributed address directory [the latter not yet implemented].
I2P-Bote
e-mail identity:
The I2P-Bote e-mail identity is a set of an I2P-Bote e-mail destination key, the corresponding private keys and a name given to it by the user. This name will be sent with the destination key if you do not suppress sending information about the sender.
However it will only be displayed for the recipient in case he does not have a name for this destination in his local address book.
So technically speaking, an e-mail identity consists of four things:
* an e-mail destination (i.e. two public keys)
* two private keys for the e-mail destination
* a public name which can be shown to other people in e-mails
* a description which is not shown to anybody but you.
(It helps you remember which e-mail identity you use for which purpose.)
An e-mail identity is not required for sending emails (although then only "Anonymous" can be selected for the "sender" field).
Mail routes:
Mail routes are an additional high-latency transport for I2P-Bote. For this, a chain of I2P-Bote nodes is built, acting as relays/routers for packets and obeying to individual per-hop delays; [still no individual setting for delays implemented]
BEWARE!
If you
choose this option - especially with many hops and / or long delay
times, don't be surprised if your mail does not reach its destination
too soon. It will, of course, take longer – up to several days!
6. Credits
Idea & technical concept: HungryHobo, Mixxy
Implementation: HungryHobo
Plugin support: zzz, HungryHobo
User interface: HungryHobo
Seedless integration: sponge
German translation: HungryHobo
French translation: albat, Redzara, Mixxy
Spanish translation: Mixxy
Alpha testing: HungryHobo, Mixxy, Returning Novice, sponge, and many others
7. Technical Details
-- see techdoc.txt --
ENJOY THE BOTE FEELING!!