

GoDaddy Pulls Lavabit's Security Creds Because the FBI Got Its Encryption Keys - bcn
http://www.forbes.com/sites/kashmirhill/2013/10/09/godaddy-pulls-lavabits-security-creds-because-the-government-got-ahold-of-its-encryption-keys/

======
tsaoutourpants
I think the revocation misses the point: "if" the NSA has been logging all the
traffic from Lavabit for the last 6 months, they can now use the SSL key to
decrypt all the data they've stored. It's not just about future
communications, but about decrypting the past.

~~~
Daniel_Newby
I will repeat my previous comment: Perfect forward secrecy, bitches.

If you use a protocol that supports perfect forward secrecy, and you ought to,
then the private key is used only to authenticate the ephemeral session key,
not to encrypt it. Compromise of the private key does not allow previous
sessions to be decrypted. (Compromise does allow impersonation, though, which
is why you need pre-distributed certificate revocations.)

~~~
tsaoutourpants
I agree. But like virtually any site of which I am aware, Lavabit didn't force
PFS. It's browser-negotiated. The "funny" thing is that there's a good chance
that any one user might have been using PFS, so it's less likely that they can
get a specific user's data (Snowden) and more likely that they can get a
random sampling of other, non-target users' data.

------
venus
> “[W]e’re compelled by industry policies to revoke certs when we become aware
> that the private key has been communicated to a 3rd-party and thus could be
> used by that party to intercept and decrypt communications”

This raises an interesting possibility of civil disobedience. Imagine if there
was a site hosted in, say, russia, which received tip-offs from NSL recipients
about these SSL seizures. And imagine they then informed the SSL issuers, who
would revoke the certs, rendering the old ones useless and forcing the FBI
back into court, with no-one to point a finger at.

I suppose the FBI would just request an order for all future certs as well.

~~~
shubb
Well, the finger is pointing at the NSL recipients. They are supposed to be
the only people that know about the order, so they carry the can if it gets
leaked.

~~~
venus
There'd be a lot of people inside the FBI with knowledge. Proving it was an
NSL recipient, let alone nailing down which one, would be difficult if not
impossible in court.

Snowden's leaked a whole lot more than any NSL recipient ever did...

------
michaelfeathers
Maybe ditching one's certs can become the new warrant canary.

~~~
betterunix
I have wondered what the legal implication of revoking certificates after
complying with a court order to turn over private keys would be. I assume that
the court would hole you in contempt for doing so, but IANAL.

~~~
Daniel_Newby
This is why competent people use write-only key modules with aggressive
tamper-detection and self-destruct capabilities.

~~~
jemfinch
Can I buy these on Amazon?

~~~
count
Sorta? [http://aws.amazon.com/cloudhsm/](http://aws.amazon.com/cloudhsm/)

------
hnha
already discussed at
[https://news.ycombinator.com/item?id=6517553](https://news.ycombinator.com/item?id=6517553)

no need for a Forbes link of all.things.

~~~
crb
I found it interesting that GoDaddy revoked the certificate - previously, I
had assumed Levison did it himself.

~~~
Shivetya
I am curious if the FBI could step in and prevent GoDaddy from taking this
action. Secret courts do not seem to have realistic limits.

In this context, can SSL be trusted?

~~~
p4bl0
Well, now that the certificate has been revoked, it's too late for the FBI to
do anything: either users saw that the certificate has been revoked, or they
didn't yet but if a new certificate is installed they will see that it's a new
one with a different fingerprint (at least their browser should warn them of
that).

------
forgotAgain
_Thanks to Lavabit’s design, Levison could not simply offer a tap of a
particular user’s communications if that user had paid for a secure, encrypted
account._

That line really bothered me. The government demanded access to all user's
data and this line places the responsibility for that onto Lavabit. The
government wants all of our data, all of the time. They are the responsible
party not Lavabit.

~~~
rtpg
While the government might want all of our data, the NSL in question (at least
according to the New Yorker piece ) requested only the data on one
user(presumably Snowden). Levison was unwilling to put the software into place
to tap into this single person's communcation. There was a warrant, but he
wanted to charge $3.5k for the effort. I don't know how I feel about that.

In any case the Judge then said to just hand over the SSL keys so that they
could do it "the old fashioned way" (listening to everything on the line).

Anyways, the point is that the original intent was not to get everyone's data,
yet this is the point everyone keeps on parroting. The original intent was
always to specifically get this single user's information, not some sort of
power play by the FBI.

Maybe things changed down the line but I feel like none of us are in a
position to know that (although who knows, Mulder might spend his time
trolling HN)

~~~
uxp
> There was a warrant, but he wanted to charge $3.5k for the effort. I don't
> know how I feel about that.

How would you feel if the police/FBI came to you with a warrant that requested
all video footage from outside your home so they could spy on your neighbor's
comings and goings. Oh, and by the way, you don't have a security camera
system, and they aren't going to reimburse you to install one. If you do not
produce video evidence, you are then disobeying the warrant and are in
contempt of court.

Lavabit's system was not designed to listen in to one persons communications.
It would cost money to implement that system. He requested he be compensated
for his effort ($3500 is a piddly amount of money anyways), and they came back
and said that was too much effort, so they'll take the entire thing. Back to
the analogy, should the cops/FBI be able to possess your home in order to spy
on your neighbor because you don't have a security system installed?

~~~
rtpg
your analogy is wrong, it'd be more like "should the cops be able to get keys
to your house".

In fact , it isn't even that, it's "should the cops be able to see who is
coming in and out of your house, and searching them when they come in".

How did Lavabit's system work? I mean at one point there's an entry point, and
the FBI wanted the info for the metadata, so just checking at the entry point
for who's logging in would do it. You're going to have to convince me that
it's non-trivial to implement something to scrape the metadata at the door (as
in more than a couple hours work at most).

I don't know how to feel about it because $3500 is way too much money for what
is asked, if this were a contracting job, and I think that if the police have
a warrant for something they are reasonably entitled to what they're looking
for. But asking people to do work without compensation.... I feel like there
must be a precedent somewhere. At one point things become obstruction. I don't
know what we should consider to be reasonable in these situations.

~~~
rpedroso
Remember that Levinson was not just a private contractor looking for work;
taking time to build a whole new wiretapping system into his product wouldn't
just cost him development time, but it's an opportunity cost as well, since he
could have spent that time otherwise developing his business.

As for the triviality of implementing a metadata tap, I don't think the FBI
was looking just for Snowden's IP address and browser. IIRC, they wanted
metadata from his communications: email titles, recipient email addresses,
time of transmission, etc. Lavabit was designed in a way that this was
impossible. Levinson would have had to implement a system that flagged
particular users and then saved metadata before encryption.

In a production, business environment, this isn't just a one-liner. Especially
given the security-focused nature of Lavabit, the required development time
and effort makes $3500 appropriate for the task.

~~~
rtpg
Ah, I didn't know they wanted that information as well. Does seem like a hefty
task.

I wonder if there's a precedent for paying people for this sort of work.

------
paulschreiber
People still use GoDaddy?

~~~
benjarrell
Price is why, for a 2 year wildcard certificate:

GoDaddy is $180 per year

Comodo is $428 per year

DigiCert is $535 per year

~~~
codereflection
I think it also has to do with a lot people who are registering domains don't
know any better.

------
some1else
The site is down due to Lavabit's decision. GoDaddy pulling it's certificate
is just a PR move. GoDaddy supported SOPA, which is very much in line with
what NSA demanded of Lavabit.

~~~
haroldp
At the risk of saying anything nice about GoDaddy, this seems like it was the
right move. Known compromised keys should be revoked. This key was clearly
compromised.

Now what other Microsoft/Skype/Yahoo/etc keys can we demonstrate were also
handed over to the government?

------
bsullivan01
_Knowing that the FBI has Lavabit’s keys, GoDaddy shuttered its secure site._

Next: Getting a judge to forbid GoDaddy etc from revoking the certificates.

Interesting times we live, a parallel reality is created

