Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lavabit Is Relaunching (theintercept.com)

Posted by BeauHD on from the blast-from-the-past dept.

The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.

4 of 54 comments (clear)

  1. Problem is - He's a US citizen by Indy1 · · Score: 4, Interesting

    so even if 100% of the service is hosted overseas, the gestapo errr FBI and NSA, will still put pressure on him to compromise the service.

    Any more, you want fed proof email, 100% of the solution has to be fed proof.

    That means non US citizens as employees working in a fed proof country, and servers hosted in a fed proof country.

    I think proton mail fits this need well.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
    1. Re:Problem is - He's a US citizen by networkBoy · · Score: 4, Interesting

      While I think we all agree that nothing is invincible, you want it to be a very hard problem to break, and one that the site owner can't facilitate. Further you want tamper evidence, thus even if he's served an NSL with gag any action on it will betray that something's up.

      In other news, I'll be a customer again :)

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  2. ProtonMail already exists by rainwalker · · Score: 4, Informative

    ProtonMail already exists, has 2 million users, excellent security and architectural design, zero knowledge on the part of the provider, 2 factor authentication, optional two password setup (one for the account, another to decrypt the inbox), is located in Switzerland instead of the US, etc. It's also trivial to use, the importance of which can't be overstated.

    In contrast, the new LavaBit is promising end-to-end encryption "later this year", as opposed to PM, which has always had it. It's concerning that a single SSL certificate was the only barrier between the users and total decryption. More competition is always good, but this looks like a significant step down from an existing service.

    1. Re:ProtonMail already exists by Anonymous Coward · · Score: 5, Insightful

      Protonmail is just security charade.

      They claim their webclient is open source, except that on their github page you can only find the source code of older versions, not the current one. That's basically equivalent to using closed source software.

      They claim their protocol is OpenPGP-compliant, but for some strange reason they don't want to let users access their mail with third-party OpenPGP-compliant clients. After a lot of complaints, now they are releasing a beta, closed-source client to access the mailbox. Long story short: it's impossible to know for sure if they use the OpenPGP protocol or something else.

      They claim they are protected by "swiss privacy laws", that have just been heavily watered down, and weren't particularly strict before either, contrary to popular legends: for example, Greece has far stricter privacy legislation than Switzerland, according to Privacy International.

      And obviously they have an "underground bunker" for their servers, which is really useful from an IT security standpoint, and surely isn't just marketing crap.

      I would definitely trust Lavabit far more: their current source code is public, they use standard encryption protocols, and their founder already proved to be ready to stand up to the FBI.