Lavabit to relaunch

Followers of the NSA spying stories will remember Lavabit, the encrypted email service created by Ladar Levison. Its claim to fame is two-fold. One is that it was the service used by Edward Snowden. The other is that in 2013 Levinson chose to shut down the service entirely rather than hand over the encryption keys of the emails of his clients to the US government. I have written about this story before, as have many others.

Levison has announced that he is re-starting the service with a new end-to-end encryption system that will make him unable to comply with any future government requests for backdoor entrance. Kim Zetter provides more details.

“The SSL key was our biggest threat,” he says.

On Friday, he’s relaunching Lavabit with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. He’s also announcing plans to roll out end-to-end encryption later this year, which would give users an even more secure way to send email.

The new service addresses what has become a major fault line between tech companies and the government: the ability to demand backdoor access to customer data.

With the new architecture, Lavabit will no longer be able to hand over its SSL key, because the key is now stored in a hardware security module — a tamper-resistant device that provides a secure enclave for storing keys and performing sensitive functions, like encryption and decryption. Lavabit generates a long passphrase blindly so the company doesn’t know what it is; Lavabit then inserts the key into the device and destroys the passphrase.

“Once it’s in there we cannot pull that SSL key back out,” says Sean, a Lavabit developer who asked to be identified only by his first name. (Many of Lavabit’s coders and engineers are volunteers who work for employers who might not like them helping build a system that thwarts government surveillance.)

If anyone does try to extract the key, it will trigger a mechanism that causes the key to self-destruct.

The hardware security module is a temporary solution, however, until end-to-end encryption is available, which will encrypt email on the user’s device and make the SSL encryption less critical.

Snowden has said that he plans on reactivating his Lavabit account once it relaunches to show his support for Lavabit but that showing that it is truly secure will have to await until later, only after it is launched.

Other companies are also creating end-to-end encryption systems so that I suspect that it is only a matter of time before it becomes routinely available even to the least tech-savvy users. We can thank Snowden for providing some of the impetus for these moves.


  1. says

    With the new architecture, Lavabit will no longer be able to hand over its SSL key, because the key is now stored in a hardware security module

    Boo. SSL has flaws designed into it. By accident, do you think?

    You have to remember when it was designed and how it was designed. Once you think about what was going on in the crypto-wars at that time, you can only conclude that the protocol would never have been exportable if it was any good. SSL’s purpose was not high security – it was to be good enough against the common-or-garden hackers and that’s it. The other purpose of SSL was to let Public Key Partners get their slice of the action in return for not enforcing their PK patents – the whole aborted certificate hierarchy is crap; it only existed to allow monetization of PK and domain names for conspicuous spin-offs owned by PKP. And if you’re a member of the tinfoil hat brigade, you already know that the certificate authorities that were selling all the certs were all located close enough to CIA HQ in Langley that you could practically toss a USB stick across the fence. (I am exaggerating slightly there, but you get the point)

    You can maybe build a secure system atop SSL, but it’s like building a castle out of mashed potatoes: why?

  2. EnlightenmentLiberal says

    To Marcus
    Do you think it’s possible the news article is simply technically incompetent, and they used the phrase “SSL” when they should have used the phrase “TLS”? Also, what’s your opinion on the TLS 3.0?

  3. Andrew Dalke says gives more details. “For the Cautious and Paranoid modes, all communication is encrypted on the user’s device making TLS less relevant. Even with end-to-end encryption, TLS ensures a client is connected to the provider’s server and provides perfect forward security for network traffic.”

    It looks like it’s only in Trustful mode (“the mode of choice for businesses, which have regulatory requirements, data retention practices, and unique needs like escrow keys”) where the hardware-based SSL is used as the only encryption. This also appears to also let companies use existing SMTP, POP, and IMAP.

    Richard Dreyfus showed it’s possible to make Devil’s Tower out of mashed potatoes. Though people will think you’re crazy.

  4. Peter B says

    pb note: preview did not show paragraph breaks. Breaks were in the raw message using two methods.

    “All” you have to do for secure communication of your message text is assure that both parties have the other’s public key. Using ephemeral public keys help but . . .

    You have to trust that the parameters of the public key algorithm you are using have not been compromised by someone at Fort Meade.

    You also have to be sure that no one made you think you have the others public key when you actually have your attacker’s public key. (Man in the middle issue.)

    Now you have to worry about meta data. Sending a binary attachment to anyone or anything could trigger an investigation of you and make the one receiving your message a surveillance target. Plus it’s worse for you if the one receiving your message was already under surveillance.

  5. says

    TLS is a giant multi-patch on SSL, so as such it’s better but it doesn’t do much more than encapsulate learned experience — and that experience is not good. There are designed-in bad ideas in TLS, mostly backwards compatibility hacks, and if you think about it you’ll realize backwards compatibility in cryptosystems is a terrible idea. But that is necessary because the web started out doing it all wrong.

    Originally, the idea of transaction level security was to use bidirectional certificates (the user’s would be self-signed) and a full certificate heirarchy with revocation. The people who developed that went over the top, complexity-wise, and the industry dropped back to a partial approach. Neither would have ever worked anyway, some of us were saying at the time, because endpoint security was laughable. It’s pointless to save certs locally on devices that can run keyboard sniffers or memory scrapers.

    Meanwhile there were good approaches to doing transaction security that involve using perfect forward secrecy exchanges to trade shared keys, and automate that process like Signal does. The IETF in the 90s was a good example of the good overcomplicating things and killing the adequate.

    So the dust settles and we’ve got a bunch of big math crypto that exchanges keys between vulnerable endpoints and negotiates bulk encryption to mix of various key sizes – and authentication remains: passwords
    It’s really sad.

  6. says

    Setting up secure sessions isn’t that big a deal. The tricky bit with all of this is sharing enough of a credential for adequate authentication. The entire commercial internet solves that problem using credit cards as the credential, which bootstraps up to an account/password credential. Think about that way you see it’s just stupid not to have used perfect forward secrecy and the same credential bootstrap. Nowadays, the new boot credential is becoming a telephone number (which implies residency and a credit card, etc) All of this depends on scarcity of identity in the initial credential – i.e.: it’s a house of cards.

  7. says

    Anyhow: the reason SSL and TLS happened was because RSAdsi was willing to push for using RC4 40-bit, for export. NSA didn’t even need to backdoor that. The whole protocol went out the door weakened to the point where it was damn near broken.

Leave a Reply

Your email address will not be published. Required fields are marked *