Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lavabit Is Relaunching (theintercept.com)

Posted by BeauHD on from the blast-from-the-past dept.

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.

4 of 54 comments (clear)

  1. Problem is - He's a US citizen by Indy1 · · Score: 4, Interesting

    so even if 100% of the service is hosted overseas, the gestapo errr FBI and NSA, will still put pressure on him to compromise the service.

    Any more, you want fed proof email, 100% of the solution has to be fed proof.

    That means non US citizens as employees working in a fed proof country, and servers hosted in a fed proof country.

    I think proton mail fits this need well.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
    1. Re:Problem is - He's a US citizen by networkBoy · · Score: 4, Interesting

      While I think we all agree that nothing is invincible, you want it to be a very hard problem to break, and one that the site owner can't facilitate. Further you want tamper evidence, thus even if he's served an NSL with gag any action on it will betray that something's up.

      In other news, I'll be a customer again :)

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    2. Re:Problem is - He's a US citizen by Anonymous Coward · · Score: 2, Interesting

      Be careful, Protonmail sounds like "security charade" and nothing else.

      They claim their webclient is open source, except that on their github page you can only find the source code of older versions, not the current one. That's basically equivalent to using closed source software.

      They claim their protocol is OpenPGP-compliant, but for some strange reason they don't want to let users access their mail with third-party OpenPGP-compliant clients. After a lot of complaints, now they are releasing a beta, closed-source client to access the mailbox. Long story short: it's impossible to know for sure if they use the OpenPGP protocol or something else.

      They claim they are protected by "swiss privacy laws", that have just been heavily watered down, and weren't particularly strict before either, contrary to popular legends: for example, Greece has far stricter privacy legislation than Switzerland, according to Privacy International.

      And obviously they have an "underground facility" for their servers, which is really useful from an IT security standpoint, and surely isn't just marketing crap.

      It doesn't look good to me.

  2. Re:ProtonMail already exists by Anonymous Coward · · Score: 2, Interesting

    ANY service that requires your browser to download and execute the crypto code from THE SERVICE... is a flawed service.
    You should be able to get the executed code from a third party coder. Otherwise the service can be ordered or backdoored or twisted into serving your browser defective crypto and other code.
    You're a fucking fool to use browsers in the way proton or lava does.

    Furthermore, SMTP is plain fucking broken in regards to cleartext headers, in particular to/from/cc/subject.
    And SMTP is plain fucking broken regarding the mail provider having knowledge.

    If you want SECURE messaging, you MUST move OFF SMTP and ON to a true end-to-end p2p messaging system, or AT LEAST a zero knowledge system.
    Ricochet over tor qualifies, as does pond and blockchain style broadcast networks.