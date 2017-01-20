Lavabit Is Relaunching (theintercept.com) 24
The encrypted email service once used by whistleblower Edward Snowden is relaunching today. Ladar Levison, the founder of the encrypted email service Lavabit, announced on Friday that he's relaunching the service with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. In addition, he's also announcing plans to roll out end-to-end encryption later this year. The Intercept provides some backstory in its report: In 2013, [Levison] took the defiant step of shutting down the company's service rather than comply with a federal law enforcement request that could compromise its customers' communications. The FBI had sought access to the email account of one of Lavabit's most prominent users -- Edward Snowden. Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password. And though the feds insisted they were only after Snowden's account, the key would have helped them obtain the credentials for other users as well. Lavabit had 410,000 user accounts at the time. Rather than undermine the trust and privacy of his users, Levison ended the company's email service entirely, preventing the feds from getting access to emails stored on his servers. But the company's users lost access to their accounts as well. Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he'll never have to help the feds break into customer accounts again. "The SSL key was our biggest threat," he says.
Might be wise to still use PGP still... (Score:1)
It is nice to have a good transport layer for E-mail, but no matter how well secure it is, it is wise to have your final message/file encryption be separate, just in case something happens. The same reason people put stuff in a physical, sealed envelope before it goes into the courier's hands, even though the courier is 100% trustworthy.
I seem to remember that you aren't supposed to send cash in the mail because letters with cash tend to get lost in the mail at a higher rate than letters without cash.
Problem is - He's a US citizen (Score:3)
so even if 100% of the service is hosted overseas, the gestapo errr FBI and NSA, will still put pressure on him to compromise the service.
Any more, you want fed proof email, 100% of the solution has to be fed proof.
That means non US citizens as employees working in a fed proof country, and servers hosted in a fed proof country.
I think proton mail fits this need well.
While I think we all agree that nothing is invincible, you want it to be a very hard problem to break, and one that the site owner can't facilitate. Further you want tamper evidence, thus even if he's served an NSL with gag any action on it will betray that something's up.
In other news, I'll be a customer again
Obtain the password? (Score:2)
Levison had custody of his service's SSL encryption key that could help the government obtain Snowden's password.
If they could have obtained the password, Lavabit must have been doing things really wrong, no? Salting and hashing and all that...
ProtonMail already exists (Score:2)
ProtonMail [protonmail.com] already exists, has 2 million users, excellent security and architectural design, zero knowledge on the part of the provider, 2 factor authentication, optional two password setup (one for the account, another to decrypt the inbox), is located in Switzerland instead of the US, etc. It's also trivial to use, the importance of which can't be overstated.
And they just added Tor support [techcrunch.com], with their own
.onion address.
https://protonirockerxow.onion/ [protonirockerxow.onion]
For when you absolutely, positively want your e-mail to be slower than traditional post service.
Have a look at mailbox.org. The people there are really competent for mail. posteo is another good option, they e.g. published their dovecot plugin to decrypt mails on access to store them safely.
