Lavabit returning in 19 days (lavabit.com)
46 points by temp 1 hour ago | hide | past | web | 28 comments | favorite





Protonmail looks interesting. They do not store keys. They can only handover encrypted data. It is open source software. - https://protonmail.com/blog/switzerland/

Hm, feels a bit weird. If they already got served with an order to share the data and they refused to comply, closing down the service instead, what can have changed today? Wouldn't this mean that someone else took up the service, agreed to the order and now this will become some sort of honeypot?

Maybe I'm misunderstanding something, but I don't understand how anyone could trust Lavabit to either stick around or actually be private and/or secure.

Force end to end PGP encryption for all users? If they do that then I'd assume they could hand over data and say "good luck".

They could also setup a P2P delivery & backup system so that it's not guaranteed they have the data. If all the data is encrypted, it's not really an issue to distribute everything (but then again we'd be talking AES512 or better for something crazy like that).

From StackOverflow [0]:

"We can't implement "AES 512 key size" because AES is defined for key sizes k∈{128,192,256} bits only; much like we can't make a bicycle with 3 wheels."

[0] http://crypto.stackexchange.com/questions/20253/why-we-cant-...

AES512? Is there some 512-bit symmetric key cipher?

They could encrypt with two(or more) 256bits keys, but I think just 256bits key is enough for at least next 5years.

I think ideally you don't what a set reveal date for all of your personal emails. 5 years is very short term to wait for some good email data.

You lost me at AES512...

If you think AES512 isn't secure enough for your data you should not be hosting your mail server out of your network.....

Also, if you have a way to break AES512 I know some people who'd pay a killing to get that information. No litterally there's people who'd kill for that.

AES512 isn't a thing. AES uses 128, 192 or 256-bit keys.


One could hope they now have solved it technically in a way that would make it impossible for them to deliver that kind of data.

That's not exactly possible for an email service provided by a third party.

End-to-end encryption. Only the users have the keys.

And SMTP 571: 'Delivery not authorized' for anyone that sends a plain text message.

Without any details on why this time the service is secure and won't be able to hand over actual user data, it is hard to get excited about the relaunch. Also, nice marketing ploy with re-launching on Inauguration Day.

There's really no coming back for Lavabit. Nobody can trust them anymore, and this isn't just about Lavabit, but about e-mail. If a person is privacy-conscious enough not to use Google, they know not to use anyone else either.

I wonder how they plan to approach security this time, given how much of the previous demise of Lavabit centered around how they had they ability to circumvent the encryption, despite some marketing claims that that wasn't the case

I wonder if their sysadmins will be able to read your mail or just promise not to. :/

This is why you always encrypt on your machine not your email service. TBH I don't get why people get excited about things like Lavabit. You shouldn't be relying on one particular email service for security when email is not secure by design. Secure your content properly and then it shouldn't really matter what email service you use.

I agree with you, but sadly things like PGP are not universally adopted and can be a PITA to explain to someone not technically inclined. So it all boils down to the lack of standardized an universal encryption in e-mail.

There is a standard, and the fact that it's not universally adopted is more of a social problem than technical.

I believe the words Vincent Canfield, owner of cock.li (another secure email service) are relevant here:

>How can I trust you?

>You can't. Cock.li doesn't parse your E-mail to provide you with targeted ads, nor do I read E-mail contents unless it's for a legal court order. However, it is 100% possible for me to read E-mail, and IMAP/SMTP doesn't provide user-side/client-side encryption, so you're just going to have to take my word for it. Any encryption implementation would still technically allow me to read E-mail, too. This was true for Lavabit as well -- while your E-mail was stored encrypted (only if you were a paid member, which most people forget), E-mail could still technically be intercepted while being received / sent (SMTP), or while being read by your mail client (IMAP). For privacy, I would recommend encrypting your E-mails using PGP using a mail client add-on like Enigmail.

This was originally followed by a quote from /g/, which has been redacted for obvious reasons (if you want it, you know where to find it), save this line:

>Now that I think about it, administering a mail host is exactly like being a nurse, only people die slightly less often.

Something about me does not want to trust a webmail host who has an ad running on their front page reading "date rape appreciation station." This appalling lack of professionalism makes the entire service suspect to me.

Also, maybe you don't want quite this much heat at your email provider: http://www.dailymail.co.uk/news/article-3367044/Maine-colleg...

Said person is also quoting from /g/. Why would you expect anything else?

OTOH, the guy does genuinely go to great lengths to protect the security of his site (and of the mail of his users), and seems to know what he's doing. So I'm not to down on him for the unprofessionalism.

I'm sure his service is just great, but, in the future, if you ever wonder why women don't go into tech (it seems so easy to, where are they?)- remember this. Tacit support of actors in the community like this make tech seem like a hostile place, or, at the very least, a boy's club of people okay with rape jokes.

It's not a sustainable atmosphere to maintain

Great! Why now? Why on Inauguration Day?

Marketing.

Is this actually going to be secure? Because there is a reason they closed last time...

