
Lavabit gets new crypto key, gives users 72 hours to recover e-mails - shawndumas
http://arstechnica.com/tech-policy/2013/10/lavabit-gets-new-crypto-key-gives-users-72-hours-to-recover-e-mails/
======
robhu
The new certificate does not offer Forward Secrecy
[https://www.ssllabs.com/ssltest/analyze.html?d=liberty.lavab...](https://www.ssllabs.com/ssltest/analyze.html?d=liberty.lavabit.com)

Does this not mean that the NSA could patiently log all the traffic going in
and out of the site over the next few days, then get a court order for this
new SSL private key, then decrypt the traffic they collected?

I may have misunderstood, but doesn't that make this something of a trojan
horse? Many users will login and try to download all their email, and for
everyone who does, when the NSA (very likely) get a court order for the new
SSL key, they'll have that large amount of private email everyone tried to
copy from the site?

~~~
koenigdavidmj
Destroy the key immediately after the 72 hours?

EDIT: And hope the relevant courts are not running _during_ those 72 hours?

~~~
robhu
Perhaps... but does it not seem rather a little odd that someone so
knowledgeable about security who had Forward Secrecy on before would now
/accidentally/ get a new certificate without it?

This doesn't make sense, he would have had forward secrecy on unless there was
some reason not to do so (like he was compelled not to, or if he isn't even
the one doing all this).

~~~
eli
If he intended to give the government access to your email, wouldn't there be
much easier to implement and harder to detect ways of accomplishing it than a
wonky cipher suite setting?

~~~
mikeash
This is probably wandering too far into conspiracy territory, but what if he's
being forced to do it but doesn't want to, and this is his way of obeying
badly?

~~~
sgentle
I don't think that's at all too far into conspiracy territory. Keep in mind
that him being forced to do something and obeying badly (because he couldn't
talk publicly about it) is a pretty precise description of the events leading
up to the shutdown.

------
drraoulduke
I wouldn't trust this. The government could be running the site now. It's
happened before.

~~~
throwit1979
Occam's razor, for once, actually supports the conspiracy theory.

It's far more likely that Levison has been bullied into 72 hours of snooping
to avoid contempt than that he's suddenly decided, months after shutting down,
for no reason at all, to open up a window for users to grab their emails.

~~~
gentoomenpls
wut.

Occam's razor says he replaced the compromised ssl key (the one the court
ordered him to hand over)

Ladar shut down his servers than accept snooping on all his users, I certainly
doubt he just decided after all this fighting to just give up.

~~~
throwit1979
So then he suddenly, after all this time, woke up and decided, "hey, you know
all those hosts I shut down and mothballed? I'm going to fire them up NOW,
spend some time restoring backups, reconfiguring things where necessary, while
facing possible contempt charges, for an arbitrary number of hours, with a new
keypair, signed by a US certification authority, without ephemeral keys, and
invite everyone who has been avoiding snooping by state entities to log in
with their private credentials!" ?

He could have done this a while ago, but he didn't.

He could have relaunched fully, under a new entity, but he didn't.

He chose NOW, to relaunch for only 72 hours. Why?

~~~
gentoomenpls
The warrant that was given to him only asked for the ssl keys.

The court records were just unseal on October 2nd.

>He could have done this a while ago, but he didn't.

Maybe he's been working on it since the 2nd?

>He could have relaunched fully, under a new entity, but he didn't.

Why would that change anything? This would only serve to hurt his existing
customers.

>He chose NOW, to relaunch for only 72 hours. Why?

Again, maybe he's been working on it since the 2nd?

~~~
throwit1979
Well, it's certainly possible, but I'd like to point out one thing. IANAL, but
I've been through enough to know that courts will often/always consider the
aspect of compliance known as "good faith". It's almost certain that handing
over the key and them immediately changing it would be seen by the presiding
judge as compliance in bad faith, and would put him in a substantially worse
position with regard to possible contempt. Given this, unless Levison is
legally suicidal, I think it's a fair bet that any relaunch using a new key
pair was done, at the very least, with the blessing of the feds and/or the
judge. And I can only think of one reason the feds would give such a blessing.

------
nullc
This really makes little sense. The service was designed so that the data was
encrypted.

He could just let people download their data and decrypt it locally. Instead
the site is prompting you for a password which it could freely capture.

~~~
tuananh
how do you authenticate the said person so you could allow she/he to download
her/his data?

~~~
chrislipa
Why would you need to? The data is encrypted by the password.

~~~
nitrogen
Particularly weak passwords could be brute forced with a dictionary attack.

~~~
chrislipa
In that case, the feds already have it ...

~~~
nitrogen
Yes, but no doubt some of Lavabit's users are more worried about random or
targeted hackers, and not so worried about the US government. No need to give
everyone the data just because one group already has it.

------
FiloSottile
> Since the SSL certificates formerly used to protect access to Lavabit have
> been compromised, we recommend manually validating the serial number and
> fingerprint your computer received before using this website.
> [[https://liberty.lavabit.com/](https://liberty.lavabit.com/)]

What? If an active attacker is changing certificates on the fly, he's also
surely able to change the values in the HTML content of the page.

This will add absolutely no security for the users, only false sense of
security via complex-looking measures, and he should know this.

~~~
sil3ntmac
Hopefully liberty.lavabit.com uses a new uncompromised cert?

~~~
FiloSottile
The point is that if it is uncompromised we are safe, if it isn't writing the
fingerprint in the HTML will be of no help at all.

------
junto
So he hadn't deleted everything? I presumed he had not only shuttered the
service, but also that he had deleted everything.

~~~
tedunangst
Destroying everything is kind of permanent. Even if he wins the court battle,
he loses.

~~~
JshWright
I suspect he would have deleted everything if he could (when we shut down our
mail service at Silent Circle, we deleted everything specifically because we
still could). If he did it after this whole show got started, it would very
likely have led to even more significant contempt (or even obstruction)
charges.

Destroying everything does indeed cause some pain, but it also sets a very
definite upper bound on just how much pain is possible (especially for your
customers).

------
RRRA
It's a trap?

~~~
quink
With Forward Secrecy disabled when it wasn't before, it only being a quick
configuration change to re-enable it (I'm talking two or three lines in Apache
or nginx), and no discernible gain in disabling it other than to make it
easier for people to look through the traffic after the fact... it's almost
the only explanation.

Either that or there's an amount of incompetence here that should might as
well amount to the same degree of stay away.

However, the server is probably not actively compromised, because if it was
they could use PFS and still listen in. It is still required, however, that
they'll need either to own this key pair being used at some point to listen in
to the traffic.

But that would mean that they can likely change the key pair on the server but
for some reason they can't enable PFS, even though once they have access to
the server in production, PFS is useless... so... who knows on that part.

tl;dr: If they get the key pair later (even if years later through brute
forcing or whatnot) and don't have access to the server, then PFS disabled is
a bad thing. If they have control over the server or the server logs all the
session keys and they receive these at some point in time, then PFS enabled
is, of course, a useless thing. If they don't get the key pair at any point,
then it's fine, but I'd consider that unlikely.

Edit: The proper way forward is to estimate the chance they will get the key,
which might as well call at 50-50, multiply that by the losses you would incur
where they to gain access to these emails (and that's likely to amount to $0
for the vast majority, sorry if I'm being presumptuous and devaluing privacy)
and compare that to the losses incurred if you didn't have access to these
emails. Counter-intuitively arising from that, for some it might even make
sense to connect assuming that traffic is intercepted, to show that they are
boring and are using Lavabit for very mundane reasons.

------
rietta
This has got to be an FBI orchestrated trap!

------
gonzo
The original key was revoked by the CA. Lavabit couldn't operate with the
original key even if they wanted to.

------
kyboren
Did anyone else take a look at the site source code?

For a trap, it's pretty damn obvious. The form submits the user name and
password in plain text over the "secured" connection--the one that doesn't
support forward secrecy, operated by a provider who's already known to be
compelled to disclose SSL private keys.

Further, I can't imagine Ladar willingly set this up. This means that not only
can they compel Ladar to hand over his private SSL keys, but they can
apparently compel him to take positive action to fuck over his users. <s> Talk
about a free country! </s>

------
swalkergibson
Hypothetically speaking, could you download the files over Tor from public
wifi and be protected? Or, is Tor now considered insecure due to exit node
monitoring?

~~~
chimeracoder
This is orthogonal to Tor.

SSL protects an adversary from seeing _what_ you're talking about, not _who_
you're talking to.

Tor will prevent an adversary from seeing _who_ you're talking to, but not (in
itself) _what_ you're talking about[0].

Here, the topic of concern is an adversary (in this case, the government)
finding out _what_ you're talking about, so Tor isn't relevant.

[0]Because the last step is unencrypted and sent in plain text, even though
intermediate steps are encrypted.

~~~
swalkergibson
Thank you for the explanation. I guess my previous thought was made under the
assumption that this was not some sort of law enforcement honeypot. If in fact
they are just listening for your username/password on the server, there ain't
no way around it.

------
glasz
given the government is behind all this (which, after all, isn't too unlikely)
at least some thug at some agency is now furious because of us here and
commenters all over the web warning people. the question arising in their
minds, and certainly meetings, is "what to do about people talking?".

now, you'll just wait what happens and be as surprised by the outcome as
you've been with the surveillance revelations this year.

brave new world.

------
borplk
It's a trap.

