

Lavabit’s founder responds to cryptographer’s criticism - dombili
http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/

======
tptacek
Ladar Levison could not have missed Moxie Marlinspike's point more completely
if he had heard that Moxie's post was coming and bought a ticket to a tropical
island where there was no Internet for the expressed purpose of avoiding it.

Start by understanding this: end-to-end (e2e) security is not a crazy pipe
dream. It can be accomplished today, using tools with graphical interfaces
that are available on all mainstream platforms. Though we could surely use
better, more convenient tools for providing it, there's no valid argument that
is premised on e2e being intractable.

Marlinspike's argument was simple. Levison's site made expansive claims about
its security properties. Marlinspike highlighted them. Then he explained how
the system could only provide those properties under an "avert-your-eyes"
attack model, because it was fundamentally a plaintext-in plaintext-out
system. It could provide no security without Levison's own say-so, but could
subvert its users the moment Levison's will or capabilities broke.

Levison replies with a series of technical details that are irrelevant to the
avert-your-eyes problem. Levison thinks that marking memory secure was a
meaningful countermeasure against a state-sponsored adversary (compelled
disclosure was his stated threat model), because attackers would not have had
the source code. This is a baffling statement in an era where people reverse
engineer smartphone basebands for fun, because it's an obstacle that the FBI
would have had no trouble surmounting in 1999.

Similarly, Levison's surprise that the DOJ could compel him to hand over TLS
keys (in a configuration that Marlinspike points out wasn't even forward-
secure --- that is, a configuration that provided sub-Google levels of
resilience versus DOJ) doesn't have anything to do with Marlinspike's
argument. If Levison's own keys determine the security of the system, it is an
avert-your-eyes system. However meaningful you believe avert-your-eyes
promises to be, the are undeserving of promotional security copy that
discusses the details of asymmetric encryption.

Levison argues that it's unfair to judge his system by the standard of PGP.
His system was designed solely to protect emails at rest. But that's a
meaningless distinction, obviously so, because Levison had to shut his system
down after being compelled to reveal keys that could decrypt prior sessions.
Plaintext-in plaintext-out mail encryption is like a bulletproof vest you
store in your attic --- perhaps useful for protecting you against bullets
flying in your attic, but little else.

I believe we need two kinds of privacy enhancements: laws that constrain the
actions of governments and limit the scope of investigations, _and_ better
privacy-enabling technology. But I have no illusions about which of those two
enhancements users should rely on: they should ignore the limitations supposed
for governments, and choose technologies that offer end-to-end security, where
the endpoints make the judgement calls about the degree of safety they have,
_not_ the operator of the service.

And while that concludes my direct response to Levison's post, I'd like to
make a tangential argument:

"I wasn't trying to fix security, only improve it" has for the last 20 years
been the siren song of bad security systems. It lured customers into the rocks
in the 1990s when it was used to rationalize stack canaries as a cure for
memory corruption vulnerabilities, shipwrecked web developers with promises of
"smart quoting", got Hushmail customers backdoored, inspired 100 different
secret-salt password hashes, installed tens of thousands of packet sniffing
"intrusion detection" systems on networks around the globe, and got us
elliptic curve-based chat systems... incorrectly implemented in browser
Javascript.

Alarm bells should go off in your head when you hear that sentiment spoken
aloud. Loud ones. If you start to feel persuaded by it, tie your self to the
mast: reinstall GPG, generate new keys, and refuse to send plaintext messages.

~~~
tedunangst
_Levison 's surprise that the DOJ could compel him to hand over TLS keys_

This is the part that baffles me. The lavabit about page clearly identified
the FBI and NSL as a threat. Lavabit was supposedly designed to be secure
against the FBI, even if the FBI didn't play by the rules. But then he still
expected them to play by the rules?

~~~
MagicWishMonkey
You cannot refuse to hand over data when given a warrant, but if the data is
encrypted (and you do not possess the key to decrypt it) the information is
essentially worthless and they won't throw you in jail for refusing to comply.

Fun fact: Lavabit turned over an archive of encrypted emails from Snowdens
account when he was first contacted by the feds. Those emails are still
perfectly secure, because Snowden is the only person who knows the password
required to decrypt the mail files. The reason the feds demanded the SSL keys
(a few weeks after he first turned over the emails) is because they could not
decrypt the mail files and wanted to try and capture Snowdens password the
next time he accessed his account.

~~~
tedunangst
Well, they could be secure, unless the FBI also has a previously recorded
session which they can now decrypt with the SSL key to recover the password.

~~~
tptacek
Since 'tedunangst is being coy, let's be clear that what he's saying is that
_they aren 't at all secure_.

