
Lavabit's Dark Mail Initiative - p4bl0
http://www.kickstarter.com/projects/ladar/lavabits-dark-mail-initiative
======
shazow
Video summary:

\- Lavabit + Silent Circle are starting a non-profit called the Dark Mail
Alliance.

\- Planning to release an open source protocol for end-to-end encrypted email,
along with some open source implementations. Expecting feedback from the
community to drive the direction.

\- Sketch of the protocol: Mail body/details is saved encrypted on some server
somewhere. Encrypted XMPP message containing URI describing where to retrieve
the message is sent to the recipients. Recipient clients figure out how to
fetch it and decrypt it.

\- The protocol is based heavily on Silent Circle's protocol. Functional proof
of concept already exists.

\- There will be several modes of security, default being the most secure, but
allowing the user to explicitly scale down on a case-by-case basis (e.g. to
abide by regulations and corporate policies).

\- Sounds like it's backwards-compatible with SMTP, perhaps through gateways.
It'll be explicitly marked as insecure.

\- Ladar's goal is to transition Lavabit from a services company into a
software company, using the free/open source business model and offer support
services around it.

\- The protocol will be using "new elliptic curve cryptography we [Silent
Circle] developed." They're expecting the encryption methods will change over
time.

~~~
GhotiFish
Thank you for the summary!

>"new elliptic curve cryptography we [Silent Circle] developed."

???

is... this a good idea? I would of thought libraries for this technique
abound.

~~~
devx
Strange that they say "we", because in the previous interview, they said Dan
Bernstein helped them to create some new 205-bit curve or something.
Previously they were using the NIST curves in the SCIMP protocol. They should
probably just use Curve25519, unless they think that's too overkill.

~~~
pit
I don't know too much about cryptography, but for an asynchronous
communication method like email, is there such a thing as encryption overkill?
For example, does it matter whether the message takes two seconds or five
seconds to decrypt/encrypt (particularly if that encryption/decryption happens
in the background of your mail app)? Are there other issues as you increase
the number of bits on the curve?

------
moxie
I think it's important that we separate our support for Ladar's legal problems
from our support from his technical decisions.

I think we should support Ladar as a person for bravely deciding not to comply
with the government's request, but that we should be extremely critical of the
technical decisions that lead to his ability to have complied.

LavaBit was a service offering "secure" email using a mechanism known to be
insecure, which unnecessarily put a lot of users at risk. It seems injudicious
to fund its redeployment, and even a little bit strange to fund the same
person to develop something new.

~~~
guelo
I dont understand. Lavabit's full process, including the last resort off
switch, worked. Snowden was well served to rely on it, his emails were not
read by the government.

~~~
moxie
Lavabit was vulnerable to three attackers:

1) The server operator could choose to obtain access to plaintext. 2) An
attacker who compromised the server could get access to plaintext. 3) Anyone
capable of intercepting the SSL communication could get access to plaintext.

Incidentally, those are the exact same points of vulnerability for a normal
(unencrypted) mail service.

One interesting question is why the US government requested Lavabit's SSL key
rather than just getting a CA to sign their own. My assumption is because they
were interested in _past_ communication that might have already been deleted
(perhaps by Snowden). We now know that the US government often logs and stores
ciphertext, and we know that Lavabit was not selecting PFS SSL cipher suites.

So when Ladar did eventually provide the SSL key to the government, it's
likely that the government was able to use that to decrypt all previously
stored traffic and obtain the entire history of transmitted email.

So it's quite likely that Snowden (and all other Lavabit users) did have their
email read by the government.

~~~
ju916
Are you sure, that Lavabit did not select PFS? Is this documented somewhere?
That's quite a fumble for someboday advertising secure email services.

BTW: shouldn't we assume, that the US government operates at least an own
intermediate CA for such purposes rather than getting single Certs signed.

~~~
natevancouver
Ladar says so in this interview, starting around 32:30:

[http://www.youtube.com/watch?v=7LzKjxj0u_s#t=32m30s](http://www.youtube.com/watch?v=7LzKjxj0u_s#t=32m30s)

------
conroy
I'm disappointed with this Kickstarter campaign. One 23 minute video and
almost no text explaining the project. The video isn't even made for
Kickstarter, it's just the announcement video from Inbox Love. How do they
expect to get almost $200,000 in donations with a campaign that looks like it
was put together in 10 minutes?

I want Darkmail to succeed (and I don't mind the name like many here), but I
have serious questions about the protocol and the community, no one which have
been answered.

~~~
Simucal
I couldn't believe that the Kickstarter video was the unedited conference
recording. I don't think campaigns need to be exceedingly polished but I do
expect a bit more effort than this.

------
tnorthcutt
This Kickstarter campaign reads like a What Not to Do If You Want Your
Kickstarter Campaign to Get Funded.

23 minute video that isn't specifically created for the Kickstarter campaign?
Check.

Very little explanatory text? Check.

Reward levels at different price points with identical rewards? Check.

Basic spelling errors (their != they're)? Check.

Campaign started by someone with a dog as their profile pic? Check.

I hope this project succeeds. I don't think this Kickstarter campaign will,
though.

~~~
Dylan16807
>Reward levels at different price points with identical rewards? Check.

Come on, that's not fair. This is a kickstarter that gives the normal
contributor _no_ rewards. That is an entirely different discussion, and not
inherently bad.

~~~
tnorthcutt
I'm not talking about what's fair/not fair or what's bad/not bad. I'm talking
about attributes of successful (or not) Kickstarter campaigns. Do you know of
a successful campaign with reward levels at different price points that have
identical rewards/text? Do you think that increases the chances of success for
this campaign?

~~~
Dylan16807
I'm saying that your classification of multiple tiers as having the 'same'
reward is misleading, because those tiers have _no_ reward.

I can't answer your question because I've only paid attention to a handful of
kickstarters, and they were product-selling rather than goal-fundraising.

~~~
tnorthcutt
When I used the word _reward_ I used it in the context of Kickstarter. That's
the terminology they use:
[http://www.kickstarter.com/help/faq/backer%20questions](http://www.kickstarter.com/help/faq/backer%20questions)

Whether a project creator chooses to provide an actual reward in the sense
that most people use the word is up to him or her. I'd wager that electing not
to do so is strongly correlated with a project not reaching its funding goal.

~~~
Dylan16807
I'm not complaining about terminology. Okay let me put this another way. Let's
pretend they had a $20 tier where you get nothing, plus the $5000 and $10000
early access tiers. If someone donates $20, they get nothing. If someone
donates $437, they get nothing. Does it actually hurt the project to create a
$400 nothing-tier in addition to the $20 nothing-tier? I am skeptical of this.
But that's what you called out as a negative in your original post, having
multiple tiers that are the same.

~~~
tnorthcutt
I'm suggesting that if the $25 tier has nothing as a reward, the $100 tier
should not also have nothing as a reward.

------
adamnemecek
It's been said before but the name seriously needs to change if the initiative
wants to get any sort of support from the general public. It's only slightly
better than say "pedomail".

~~~
dmix
Similar to authoritarian conservative political groups using names like
"Freedom" and "Liberty"?

They can sugar-coat it however they want but I'm ok with "dark". That is the
fact of life in a surveillance-state. In such an environment, one who wishes
to communicate in private must do it in the dark.

~~~
nrivadeneira
As accurate as it may be, it's terrible from a PR standpoint. The grandmother
next door will be less likely to adopt its use if she associates it with
darkness/nefariousness. _You_ may be OK with it and understand its true
meaning, but this isn't about just you.

~~~
dmix
They are creating a new protocol to be adopted and marketed by other email
providers (including Lavabit).

Those companies can take care of Grandma.

~~~
adamnemecek
But why create the friction in the first place? News are mostly about
soundbites, do you think that if grandma hears on the news that a defendant is
part of the 'dark mail' initiative that she will be sympathetic towards him?

~~~
w1nk
Viewed slightly differently, given that news is mostly soundbites, which is
going to be more memorable?

------
conorgil145
They point out that existing email leaks a lot of metadata, but I do not see
any proposal to fix that in the new protocol. How would you
hide/encrypt/otherwise protect the list of recipients? Someone somewhere has
to know where to deliver the message, especially if you will continue to use
human readable/memorable email addresses as we currently know them today.

You could have the server know the addresses to forward the message and then
forget them. However, then the server knows this information at some point and
it could be sniffed/recorded along the way.

Does anyone know any more details about the specifics of the protocol? How
would you minimize metadata leakage if you were implementing such a protocol?
I am not sure it is possible to guarantee the recipient list won't be leaked.

~~~
conroy
I've read over the SCIMP protocol. From their white paper, a sample message
looks like this:

    
    
       <message type="chat"from='velma@silentcircle.com' to='daphne@silentcircle.com'
       id="0FF6CF98-32FE-4EED-9DEF-D66A0E50EA8F"><body/><x xmlns="http://
       silentcircle.com">?
       SCIMP:ewogICAgImRhdGEiOiB7CiAgICAgICAgInNlcSI6IDE1MDcyLAogICAgICAgICJtYWMiOiAiZlp
       YYURlQ1ljVTA9IiwKICAgICAgICAibXNnIjogIkloT051Sm9kK0Fjb09KQ1prZ0xHQXliSmJjbC9WNzhl
       cmMrSFY4K1FHcUJ2cEdlb2RaSWZwNTRKVWluU2g0N0lZTjFORkJOaXBjTVdubWlsMXVtbi9pcG5rVk8rd
       VJZdUJuQjdpZXZEK1pZQzBYV0hHQWQ3WWJtOWRsYkpSd0oyIgogICAgfQp9Cg==.</x></message>
    
    

which worries me. Yes, the connection between the server and client will be
encrypted, but my message still has metadata that isn't encrypted. I'd just
like an answer from Silent Circle / Lavabit.

~~~
xanth
why dont they address the server and encrypt the user address at the server
level, so a network eavesdropper would only see traffic too and from servers
but not the particular addresses being addressed. The user puts in an address
e.g. yaName@yaDomain.com the sender and receiver address (maName & yaName) are
then stripped on sending the D-mail and encrypted with the D-mail servers
private key the receiving server (maDomain) then goes through the public
private key exchange with the sender (yaDomain) thus securely passing the user
address between the two servers without the eavesdropper knowing from what
user the D-mail originated and to what user the D-mail was addressed to. This
system would become more secure the the greater the number of users on each
domain.

To add extra security batch sending by the server would make it even more
secure

e.g. every 3min || when unsent messages to domain x > 999 --> send D-mails.

this would add latency and create bandwidth spikes but would negate time based
inference attacks.

edit: relevant xkcd; [http://xkcd.com/927/](http://xkcd.com/927/)

------
mr_spothawk
: Whiney warning : I wish they'd put a bit more work into this kickstarter,
rather than just dropping a terd on my doorstep. I'm really interested in this
protocol, but I can't help but feel like there's a lot of entitlement evident
in the lackadaisical approach. : end whine :

------
asdfs
Neat, but they really need to repeat what's said in the video in the text.
Currently it's not amenable to obtaining a quick understanding.

------
DigitalSea
Wow, $196,000? That's a lot of cash for cleaning up source code and releasing
it, isn't it? My understanding is that the code is merely being modified to
work in other environments, right? Finding great talent costs money and time,
but surely finding great developers who support Ladar and his quest to release
an open source email service wouldn't be that hard? I don't know C that well,
but I'd volunteer my time to make the project a success.

Something about that almost 200k figure they're asking for doesn't feel right.
Am I missing something here?

~~~
steveklabnik
> Am I missing something here?

Yes, watch the video. Or read the comments here with a summary.

Even the summary of the kickstarter says more than 'OSS the code.'

------
friendcomputer
I can't find any information on the "newly developed dark mail protocol." Is
this public anywhere? I need more information before I know if I want to
donate to support it.

~~~
KingMob
Seriously? It's the first result for "dark mail".

[http://www.darkmail.info/](http://www.darkmail.info/)

~~~
woah
I don't see any information on that page.

------
gesman
"Yet another communication system that offers better encryption" is not going
to solve fundamental problem. Even if it is named "dark".

The communication system that conceals the very act of communication will.

The best way to conceal anything is to make others think that it never
existed.

Pissing off enemies with stronger encryption will just get more people hurt
and hunted for.

------
logn
I like this project:

[https://bitmessage.org/](https://bitmessage.org/)

~~~
mahyarm
Bitmessage is not very viable for mobile devices unless you offload hash cash
to a server.

~~~
logn
Then there's this, built on top of the protocol:

[https://bitmessage.ch/](https://bitmessage.ch/)

The source code is here:

[https://github.com/AyrA/BitMailServer](https://github.com/AyrA/BitMailServer)

It's written in C#, which I don't personally like. And there's no mention of
which particular 'open source' license it is. But the source code should be
informative for a port/rewrite, and maybe running it via Mono is viable.

edit:

If the DarkMail people happen to be reading this thread, please consider
putting your full support behind BitMessage.

------
jgrowl
Donated. Good luck to Ladar.

------
Mithrandir
Previous discussion:
[https://news.ycombinator.com/item?id=6642106](https://news.ycombinator.com/item?id=6642106)

------
nullz
"sell the sizzle not the steak"

------
hadem
What is keeping this service from getting shut down as well?

~~~
dsl
It is a protocol, not a service.

~~~
cracell
Ha, that's a pretty bullet-proof way to not get shutdown.

To expand a little bit for the less technical readers. This is about
developing a new protocol for email, and an open source software package that
supports that protocol for people to use it with.

So in the end there will be a software package that you could install on a
server yourself and use for emailing others using the protocol. Most likely
some businesses will use the software and charge users for the service, just
like what Lavabit was doing before it shutdown.

So you could shutdown one provider, but you'll likely just make several new
ones popup. This is similar to the war against bittorrent. You can shut down
the trackers and the sites where people find the torrents but new ones will
just appear.

~~~
socksy
I think chances are, the readers of HN already know the difference between a
protocol and a service.

And the benefit you listed is already one given to email — the reason that
lavabit was shut down was because the guy behind it didn't want to provide a
service he knew to be flawed, in that the US government could request details
about users.

The question is, how does this protocol have it built into it in such a way
that both allows anonymity and so that providers can pop up in their place, as
you say?

------
mars
pledged.

------
dram
I like the name didapper mail. A fun sounding duck inspired protocol.

