This document describes the privacy and anonymity improvements recently deployed on news.tcpreset.net, with a focus on the integration of the Nym mixnet into our posting infrastructure and the hardening of outgoing article headers.
Our server has always operated with a strong privacy commitment: no logging of reader IP addresses, no persistent metadata, abuse contact only. The current round of changes extends that commitment to the posting path — the headers that INN attaches to every article before it is propagated to peer servers.
Simultaneously, we are opening the server to posts arriving through the Nym mixnet, in collaboration with Ch1ffr3punk and the Nym-Usenet ecosystem. Nym provides multi-hop, traffic-analysis-resistant transport — a significant step beyond Tor for high-threat posting scenarios.
All changes are implemented in the INN nnrpd Perl filter, which runs on every article submitted by a posting client before acceptance. The filter now performs four operations:
The previous implementation replaced the poster's IP address with an MD5 hash using a hardcoded salt. MD5 is unsuitable for this purpose: a rainbow table attack over the IPv4 address space (4 billion values) takes seconds and completely defeats the anonymisation.
The new implementation uses BLAKE2b-256 with a secret key
stored in /etc/news/nnrpd_hmac.key (readable only by the
news system user). BLAKE2b is a non-NIST, RFC 7693 hash function,
used in libsodium, Zcash, and Argon2. In keyed mode it is functionally
equivalent to a MAC: without the server key, the IP cannot be recovered from
the hash even with full knowledge of the input space.
# Before (MD5, hardcoded salt — broken) NNTP-Posting-Host: 5f4dcc3b5aa765d61d8327deb882cf99 # After (BLAKE2b-256 keyed — opaque without server key) NNTP-Posting-Host: ec07e4e2ab7b4451c294b937e0564281dcdb28c85abe4130039f7f8e872fc976
The key is loaded once at filter startup via startup_nnrpd() and
held in memory — no per-article file I/O.
The X-Trace header, added by some nnrpd builds, can contain
routing and timing information about the posting session. It is unconditionally
removed before the article is accepted.
The X-No-Archive: yes header instructs archiving services not to
index or store the article. While no archiver is legally bound to honour it,
major services (and well-operated private archives) do respect it. From this
date, the header is injected by the server on every outgoing article,
regardless of whether the posting client included it or not. Posters do not
need to set it manually.
X-No-Archive: yes
Articles arriving through the Nym mixnet via the Hermes / Onion Courier gateway
carry two non-standard headers identifying the pseudonymous sender:
Contact: and Nym:. The filter enforces the canonical
ordering agreed with the Nym-Usenet ecosystem:
Comment: This message did not originate from the sender address above.
It was sent anonymously via the Nym Mixnet.
Contact: info@oc2mx.net
Nym: <pseudonym>@<host>
INN serialises non-canonical headers in insertion order. The filter achieves
the correct sequence by undefining both headers and reassigning
Contact: before Nym: in the rebuilt header block.
The Nym mixnet routes traffic through multiple relay nodes with padding and
cover traffic, making traffic analysis significantly harder than with Tor.
Posters who route their NNTP connection through a Nym SOCKS5 client pointed
at a whitelisted network requester for tcpreset.net benefit from:
Server: INN 2.6.4 on Debian stable —
Filter: /etc/news/filter/filter_nnrpd.pl —
BLAKE2b via Crypt::Mac::BLAKE2b (libcryptx-perl) —
Key file: /etc/news/nnrpd_hmac.key, 600, owner news