A snailmail letter can be sent “care of” someone: Alice sends a letter addressed to
Bob
c/o Caroline
[Caroline’s address]
Caroline gets the letter delivered to her and passes it on to Bob.
Could I permit some of my contacts to send messages c/o me? I would not be able to decrypt anything except the destination address and perhaps a requested delay; I’d just unwrap and forward the message automatically, onion-style.
This would allow two people to talk to one another without disclosing the fact that they are talking to one another, even if they are both forced to use a relay hosted by an adversary.
DC is aimed at trusted friends and family, so this seems to fit.
I don’t think “MITM” is the best term to use here, as it is usually used for encryption-breaking covert attacks.
The activity descibed is opt-in and transparent for all three parties, and the middle party sees no more unencrypted info than the relay does.
Use case: Alice is an ex-pat activist, Bob an activist living under censorship. Bob talks to his sister Sally, also an ex-pat, via Deltachat. Bob wishes to talk to Alice, but without alerting the censors, who run the only mailservers Bob is allowed to use. Sally agrees to relay messages between Alice and Bob. The onion encryption prevents Sally from reading the messages, and means that the censors can only see what appears to be Bob talking to Sally.
You could also think of this as a group where one member can only get messages directly from some other members.
In case of a direct contact, only the two relays have metadata. If you add just one middle node from yet another relay, all three will have metadata, along with the client on the third relay - that’s quite a few more eyes than initially. Mix networks work by combining a large number of participants and multiple hops. I now realize that your original problem statement only considered 1-hop forwarding.
The censor-controlled relay sees Bob talk to Sally. Sally’s Bobwards relay sees the same. Sally’s Alicewards relay (should probably be another profile by default) sees Sally talk to Alice, as does Alice’s relay.
The censor thus does not see Bob talk to Alice, which is the goal.
A mix network would also do this, but it would probably be done with bots.