Hi Timothy
So far no one at customer services will discuss the issue but I think I worked out what is going – and, if that is correct then there is no issue with the Stunnel addon. Best explanation I can come up would be as follows:
1. I joined a new news server and started posting.
2. I had been using CS-PP with the default settings to ID a post message line with '@camelsystem-powerpost.local'
3. However, in the beginning all NZB's posted would have that changed to '@news.YourServerTitle.com'. (You would need to open your newsreading program and look at the properties for files to see this. This only happened to the NZB's.)
4. However, a few days later, guess what happened? All post message lines were being shown as '@news.YourServerTitle.com' not '@camelsystem-powerpost.local'.
5. What made me think, in the beginning that the Stunnel addon might not be working properly (at least for NZB's) was that in order to post using SSL I need to point CS-PP to the address 'secure.YourServerTitle.com'. If I tried to use 'news.YourServerTitle.com' that wouldn’t work as that server, even though it belonged to the same company, won't accept SSL connections.
6. Do you now see why I was confused? Not only was the NZB line information being changed from '@camelsystem-powerpost.local' it wasn't being changed to '@secure.YourServerTitle.com' but to ''@news.YourServerTitle.com'. And after a few days that was happening to everything I posted.
7. See, the '@secure' was missing, there was just '@news'. (And that is without taking into account that the title of the line posted *was being changed* - it was different from the settings I had made in CS-PP.
8. I tried checking the properties of files (lines) other people were posting. The same thing seemed to be happening to all 'volume/regular' posters: all their posts seemed to be 'tagged' to the server where the original post was made e.g. '@news.giganews.com', '@news.newshosting.com' and so. However, as best as I could see in the groups I checked at, this did not seem to be happening to 'low volume/occasional' posters. Their posts, it seems, could still be seen to be anonymised according to whatever setting they had made in whatever posting program they were using to make the post.
9. Taking all the above into account, as best as I can see, news servers themselves have started to 'tag' posts according to what server (company) that post was originally made to. They have started to change the post so that it can be identified as to what server it was originally sent to. It would also seem to be the case that, at least for the server (company) that I use, that will always be done with NZB's and if you are a regular poster to a group that will then be done to everything you post. (So there must be a monitor that triggers starting to alter your posts. Wonder what the 'trigger' is?)
I'd say that is a breech in security of posting because what is really happening is that the server company is being tagged to the post and the time at which the post is being made is also tagged, in as much as the post will be time-stamped on the server's drives (and probably the time will be logged anyway). I personally would say all that is a matter for concern.
I'd also only agree up to a point when you say that if you are using Stunnel then your ISP can't see what is being done, has not got a clue what is going on. I think that is only half true for the following reasons (as I understand what SSL is):
SSL does not produce a tunnel into which your ISP cannot 'see'. All it does is encrypt a data stream so that the ISP cannot readily monitor the unencrypted content of that stream. They could only see the real content if they had managed to decrypt the stream. This is a very different situation from that of a 'tunnel' – your ISP can see exactly what is in the data stream, it's just that it is encrypted. (The 'tunnel' idea is only a way of trying to get people to picture this, but it is a very misleading picture.)
However, even though the data stream content itself is encrypted, the address to which that stream is being sent can be seen by your ISP. It must be seen by the ISP, because if your ISP hasn't been told where to send that stream packet, then your ISP isn't even going to try and send it.
For example, if you look at some of the documentation for the TOR project, it can be seen that TOR actually does address this problem for encrypted data streams. TOR gets round the problem by encrypting the 'final destination address' of the stream packet and replacing that address with the address of the first server that the packet will be sent to as it heads for the 'TOR network'. In this case you have an encrypted stream (ISP can't see the real content) and a 'false' address (so the ISP doesn't actually know where that data stream packet is really addressed to, it only knows the address of the first server that TOR has sent the packet to). To complete the explanation, TOR then hops that packet around several 'middle-servers' and only on the last hop (at the last server) does the 'final destination address' of that packet get decrypted again as being the real address to send the packet to – the address you set on your machine when you sent the packet off. Outside of cracking the encryption for the entire packet, the only machine that could possibly log the real destination address is the last-hop server.
So bottom line for SSL is that (as far as I understand it) the ISP always knows where the encrypted stream is going, so your ISP does have quite a strong clue that you are in fact posting to a news server. (The only way I could see to get around that is to only post using a VPN server, though that server would then have to know the destination address of the stream packets, but you own ISP wouldn't. Your ISP would only know you are sending (encrypted) data to a VPN server.)
What I don't know about SSL, and I would be grateful if you or anyone else could tell me, is does the ISP only see that destination address when the stream is first established (negotiated)? Or, does it see it for all packets sent in the encrypted stream? In terms of your own security/anonymity it really doesn't matter what the answer is – your ISP knows you are posting.
If I have any of that wrong I'm happy to be told I've made a mistake – that way I learn more.
I would like to add, Timothy, that I think the SSL addon is a brilliant idea. I really am glad it is available. And have nothing but gratitude for the fact that you made it and made it available to everyone. Huge and many, many thanks for that.
If you, or anyone else for that matter, can put more light on why news servers are tagging posts in the way I think they are I'd be very grateful for the information.
