Protonmail is not ahead in terms of technology. Lavabit is developing new email protocols, Protonmail is just a centralized service, and only its client is open-source: https://github.com/ProtonMail/WebClient
> The best way is to upgrade your account to a paid account and take advantage of the numerous extra features we provide with paid accounts. 
Laws are a high latency side-chain of authority; a guide perhaps; and for some a business opportunity.
And then we have Organised Crime, moles, plants; informants, sympathesiers, casual snitches, quadruple agents, the desperate, and machine learning eating meta-data for breakfast.
If you've got something to hide "it's not legal for support staff to [whatever]" is most definitely not a security measure.
At least publicly. Behind the scenes there could be a sharing bonanza for all we know.
The more services there are, the better.
What's the tradeoff?
If the server doesn't have access to the content of emails, then it reverts to a featureless blob store:
Search isn't possible
Previews can't be calculated
If you lose your private key, we can't recover your email
Spam checking on content isn't possible
To access mail on multiple devices, the private key needs to be shared securely between them
That's total nonsense.
> Search isn't possible
It absolutely is, in both theory and practice. The server stores an encrypted index, and the client walks it (requesting parts as needed). It's going to little slower, and a lot more complex but it's doable.
> If you lose your private key, we can't recover your email
This is a damn feature. I had my icloud account social engineered (someone walked into an apple store claiming to be me and they couldn't get their iphone syncing to "their account"). I'll never again trust another company with my private stuff.
> Spam checking on content isn't possible
This is probably your best point. It's definitely harder to do well
> To access mail on multiple devices, the private key needs to be shared securely between them
This is a non-issue. It can easily be derived from a password
Then, he straight up asked me for my password, "most customers write their password down so we can test that it works."
I feel a little bad because the look I must have given him was pretty absurd. I told him no, I'll just take the risk and test it myself.
> It absolutely is, in both theory and practice. The server stores an encrypted index, and the client walks it (requesting parts as needed). It's going to little slower, and a lot more complex but it's doable.
Are you suggesting that to search your mailbox, the client should download every single encrypted message in the entire mailbox and decrypt them all locally to search them?
If not, how does the server get this "encrypted index" without having your private key?
Clients would always have to download+upload the full index (which needs to be re-encrypted with a new IV). This is a huge problem - the index can easily be hundreds of MB for a large mailbox.
Another client on index version X could download the diff, and get index (X+1).
Some desktop client should probably do compaction from time to time.
This is not the same as the content.
I guess, it is a reasonable sacrifice for privacy, unless you want searches to be able to search within attachments including documents in big archives.
You wouldn't use a hashing algorithm to build the index. They are talking about an inverted index in a binary format, something like what lucene outputs. That binary index would be encrypted with a block cipher (AES, Blowfish) using a secret key and would then be stored on the server.
The mobile client comes along and downloads & decrypts the index in memory, searches it for some terms(s), the index returns 10 result, of which, the user selects one and the mobile client downloads and decrypts to show to the user.
> I guess it would be impossible to salt those hashes, and it probably risks defeating the whole crypto.
Exactly. (There are other problems too, but that one by itself is a show-stopper.)
> This is probably your best point. It's definitely harder to do well
I think it's possible, just slower and more complex (like search) - and would have to occur upon unlocking your inbox.
Truncated to something like email@example.com that would only be valid when sent with the from-adress firstname.lastname@example.org (along with some clever magic to avoid email loops! :-)
I think maybe it was authored by ESR (Eric Raymond) in python - but Google only turns up various dkim schemes...
New senders would have their mail held back, and get a "please reply if you are human"-message - a reply (to the "magic" reply-to alias) would release the held mail and whitelist the sender.
A greylist variant of sorts.
It wouldn't be so good if email turned into Facebook, where you can only contact somebody if the circuit has been established beforehand (i.e., both parties friend each other). What happens if this is the point of initial contact, and there's no other way to get in touch? I have to conspicuously friend this person from my otherwise dormant account and then not think about whether they're going to feel weird when I unfriend them later on?
I sent an unsolicited email a couple weeks ago. Academic-type, self published, personal webpages where I saw something that needed fixing, and so I did. There was no CMS, just a static site—and not the sort where you're running markdown sources through a generator and have a whole Git hosting service apparatus intertwined with hooks sunk into it. Plain, legacy HTML. I saved a local copy to my machine, made my changes, and mailed them in. They happened to be machine-readable patches, given the recipient, but it could have just as well been a message written in natural language. The changes were made, I was thanked, and done.
I'm still upset that in the 90s I could get in contact with almost anybody by looking in the phonebook, but when I tried doing that a few years ago for an old coworker, it was hopeless. Getting the listings for a city you've moved away from can prove to be harder than it seems, even when you know they have a landline.
These are the kinds of things you lose when you assume the world is already fixed in the form that it should maintain going forward.
"stretching" the equivalent of rsa(session_key, public_key) might be feasible?
Going on a tangent, but do you know of any services that offer such a thing?
Also, "What? subjects and recipients are unencrypted!?" -- Every User Ever
Where not knowing helps with patents it is in that if you infringe, wilfull infringement increases damages up to threefold.
It should be technically impossible. If it's a matter of choice for tech support reps, it's not secure for many reasons.
> This is a non-issue. It can easily be derived from a password
How does that change the equation? You're still exposing the thing-that-decrypts to multiple devices, thus (many!) more threat vectors. Lose one, and you lose them all, which is the point of the claim.
The point is, some is better than none. More is better than some.
So many people here pointing out holes that make it worse than a theoretically perfect system even though it's leagues ahead of where we are now.
If you care enough to use encrypted email, you should probably seriously consider abandoning email. (signing is different - that's proof of identity and non-modification, useful in many non-private scenarios)
Were you using 2-factor?
> The server stores an encrypted index, and the client walks it (requesting parts as needed). It's going to little slower, and a lot more complex but it's doable.
How slow would this be with thousands of emails on a mobile device ?
> This is a damn feature. I had my icloud account social engineered (someone walked into an apple store claiming to be me and they couldn't get their iphone syncing to "their account"). I'll never again trust another company with my private stuff.
Most email providers don't have retail stores where this type of attack can happen.
What happens if this password got into the wrong hands or even lost? Is it possible to change? Must I re-encrypt every single email ?
Not that much slower than email is now. A B+tree index of (for example) 1 gb of total content and index is only about 1-2 gigs in size. You could just store that shit on your phone encrypted. Or 1-5 megs of index on your phone, with 2 round-trips for any email/first page search result per word.
> What happens if this password got into the wrong hands or even lost? Is it possible to change? Must I re-encrypt every single email ?
Overall yes, re-encryption is necessary. But that can be a batch process done while your phone is charging and on wifi over night. Is a drawback, but re-keying always is. But just because you got to change the keys every once in a while, doesn't mean you toss the locks.
Encrypted hard disks utilize a simple scheme whereby the password/key derived from the password decrypts a small set of keys or single key that's just randomly generated, and decrypts the rest of the drive. So, to change the password, all you need to reencrypt are the real keys.
Password -- decrypts --> master key -- decrypts --> rest of hard drive
this is what gets re-encrypted on password change
and is small; ~a few KiB
The approach above also lends itself well to supporting multiple passwords. (If you share an account w/ someone, for example, though email has other tools like mailing lists that might be better suited.)
Lots do, though, and the ones that don't often offer customer support over the phone. And anyway, social engineering doesn't only happen in stores or when talking to CS.
This in itself is not a problem. Btrees are O(log n) for search, so thousands of emails can be looked up in 3-4 requests with the most naive way to implement remote tree walk.
The fact you're revealing the structure and index contents to the server as you search would be a bigger issue.
This is what we do on FWD:Everyone for email threads shared within private repositories.
Just because certain people need the sorts of protections provided by Lavabit doesn't mean that products like Gmail are bad or insecure. They're each secure for the use cases they're targeting.
First of all, sometimes knowing who you talk to is more important than knowing what you say. Traffic analysis lets you draw all kinds of conclusions.
Secondly, there are two parties, so double the chances for rubber hose cryptography. An opponent can approach either party and ask for details, so both parties are trusting the other can't be broken by the opponent.
Of course, we should all be encrypting everything anyway, no point in giving out free message bodies.
I guess it's not possible, then.
I understand that this is not acceptable for 99.99+% of people, even the technical ones, but I think I could use a fully encrypted mail store. No problem with the mail provider ending up as a blob store: privacy-wise it's what they should be anyway. No harm to their business, if all the money they make are from users and they're not selling data.
The only problem is centralized spam checking. Running an antispam engine locally wasn't very effective years ago and Thunderbird was sub par. Is there anything that's on par with email providers right now?
But it's still possible to fight spam based on other features: https://atscaleconference.com/videos/how-whatsapp-reduced-sp...
How does encrypted spam work? Spammers encrypt message with your public key?
Theoretically, a spammer could scan the public keyservers for email addresses and public PGP keys and then send encrypted spam to all of those people. If ever a well targeted spam mailshot was sent, that would be it. But would you really want to get on the bad side of thousands of tech nerds?
Code for DIME (Dark Internet Mail Environment):https://github.com/lavabit/libdime
Explain Lavabit page phrases it like Magma supports only Trusted mode: "We envision Trustful mode as the mode of choice for businesses, which have regulatory requirements, data retention practices, and unique needs like escrow keys. Lavabit’s free and open source server, Magma, supports these users." Are other modes supported?
"The website is live, but it will take another day or so to finish deploying magma, and get the latest code into Github."
Looks like code is just not pushed yet, it was just withheld until release.
To my knowledge, he is one of the few that has gone to the mat for his users.
"In August 2013, I was forced to make a difficult decision: violate the rights of the American people and my global customers or shut down. I chose Freedom."
That isn't what happened. He chose to build and sell a supposedly secure email service that was fundamentally vulnerable to government intrusion. He then decided to play chicken with the USG over a warrant no different than ones he'd complied with previously. The completely pointless escalation forced him to compromise all of his users, something the government had not been asking for. He then shut the service down.
There are a lot of ways to describe this but 'I chose Freedom' without any acknowledgment of his previous mis-steps is both misleading and shameless. I wouldn't buy supposedly secure services from him.
How has he compromised all of his users? The service was shut down and emails kept encrypted. Am I missing something?
Anyway, I really hope that it leads to adoption of backward-compatible and secure email protocols. Server encryption can't be trusted anymore anyway, we need end-to-end encryption.
Over time, though, it's become increasingly clear Ladar Levison is just a snakeoil salesman who misled his users. He's never acknowledged he did anything wrong. Don't fall for his posturing about 'Freedom'.
> At approximately 1:30 p.m. CDT on August 2, 2013, Mr. Levison gave the F.B.I. a printout of what he represented to be the encryption keys needed to operate the pen register. This printout, in what appears to be four-point type, consists of eleven pages of largely illegible characters.
> On August 8th, rather than turning over the master key, Levison shut down Lavabit.
That was according to this article from the New Yorker: http://www.newyorker.com/tech/elements/how-lavabit-melted-do...
While I agree with you I think a large amount of people will buy into the narrative of him sticking up for freedom.
Moxie and Whisper Systems probably would get my nod too. Perhaps even DJB or Bruce Schnier.
>Unlike the design of most secure servers, which are ciphertext in and ciphertext out, this is the inverse: plaintext in and plaintext out. The server stores your password for authentication, uses that same password for an encryption key, and promises not to look at either the incoming plaintext, the password itself, or the outgoing plaintext.
>The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all, and whether it was or not makes little difference
Anyways, having good inventions doesn't equal having a secure product.
He did surrender the key, although by printing out the key in 4-point font (unclear if he was buying time, or just thought contempt charges sounded fun). After the government pressed him harder, he shut down the service days later. He didn't disclose that he had surrendered the key; the public found out when the court documents, including the key itself, were unsealed.
If something can't be done securely, don't tell your users that it can be done securely. If you know you can't win, there's honor in refusing to lose without a fight. But there's no honor in first promising people that you'll win, and there's quite a bit of dishonor in asking people to pay you to win.
Lavabit v1 should never have been built. Many people were technically qualified to build something like it it (it's email, which constrains the design significantly), had the resources, and chose not to. The fact that Levison built it, and that he hasn't apologized for building it, demonstrates that he's untrustworthy. This is not to say that he's a bad person; everyone makes mistakes, and I wouldn't trust myself to build a secure email service singlehandedly, because I know what mistakes I've made and what sort of personality flaws I have. It's just a statement that the required level of trust is extremely high, and Levison hasn't demonstrated it.
Lavabit v2's "Trustful" mode has all of the same flaws as Lavabit v1. He writes about his "free and open source server" and asks how you feel about "trusting our servers," when that was never the problem. If you can magically make sure that the government doesn't have access to your system, a standard unencrypted email server will do just fine. If you can't, they'll issue the exact same legal order to Lavabit v2 that they did to v1, and it'll be just as effective.
He went to prison over pgp.
But then the mail service he was involved in (silent circle mail) shut down at the same time as lavabit.
But apparently he thought up pgp while in prison for nuclear protests.
>Asks for your credit card information on the same page.
Wew, at least let us use buttcoin, Levison.
I understand an additional email is needed right now since it's basically a pre-order, but I would hope that once fully launched this requirement would be removed at least.
So if you used, say Gmail and they did DIME, you'd still be trusting them totally. Am I misunderstanding?
And still no admitting he was selling a fundamentally critically flawed service in the first place. If that's not even being mentioned, it really removes confidence from their new service.
As far as hardware HSM, that's cool. I very much enjoyed reading about how an HSM, the Luna CA3, was cracked:
"Dear Mr. Levison, remember that law about pen registers that you clearly hadn't heard off last time around? Well, now that you understand them, please install a pen register on the other side of your fancy FIPS 140-2 hardware security device, and have it send us everything in .pcap format. You don't need to reconfigure your HSM for this, and in fact any attempt to do so is now tampering with evidence in a federal investigation. Cheers, the FBI."
If you're going to operate in "trustful" mode, lavabit isny offering any real security wins over any other mail host.
Looks like Trustful mode is how the old lavabit operated.
> If you're going to operate in "trustful" mode, lavabit isny offering any real security wins over any other mail host.
This level of security apparently was enough to protect email contents against FBI.
The reason this "insecure" mode is kept is to allow users to continue using their old accounts and restore mailbox contents: https://lavabit.com/have-lavabit.html
Well, https://lavabit.com/have-lavabit.html says: "With the help of these tutorials, you should be accessing your old Lavabit e-mail and sending new secure messages in just a few minutes." Maybe e-mail here means account, not messages.
I have some free accounts to test, but looks like imap.lavabit.com and smtp.lavabit.com don't have SMTP/IMAP/POP3 ports open.
Database is not deployed yet.
Still I found no evidence that Lavabit handed over anything but encrypted data and access logs. The only thing I found is : "He says he's received "two dozen" requests over the last ten years, and in cases where he had information, he would turn over what he had. Sometimes he had nothing; messages deleted from his service are deleted permanently."
He has complied with warrants because he had nothing to transfer. Nothing was stored and there is no legal obligation to modify your service to store passwords. When he was asked for TLS keys, he had to shutdown the service to prevent leaking all the passwords and redesigned the server.
The difference between not looking away and Lavabit design is that nothing is exposed if the server is seized.
The design of old Lavabit was not sufficiently secure and there was no way to check if it is more secure from the users' perspective, but still no reason to call it snake oil . Snake oil is a product that is advertised as secure when maker knows it is insecure. Lavabit design was correctly described on its website and source code was promptly published after the shutdown so it is possible to verify that described features existed.
There isn't any evidence of that or the contrary. He had all the data. We don't know what he did or did not turn over.
Snake oil is a product that is advertised as secure when maker knows it is insecure.
Take another look at this (and Moxie Marlinspike is being generous and sympathetic). It meets your own criteria precisely.
Shouldn't that "or" be an "and"?
either violate the rights of the American people and my global customers, or shut down.
Unless you're alluding to some impropriety on Levinson's part that I'm unaware of.
He shut down so that no additional mail could be sent and read.
It's unclear to me how much mail was kept on the server. Only unread mail? Anything in your inbox? Everything?
So whether or not the FBI could read a particular stored message or not would depend on whether they'd been able to obtain that user's password: they could if the user had logged in after the FBI had the certificate, or if they'd logged in using a non-PFS cipher suite at any time, or if their password was vulnerable to cracking or determinable by the FBI in some other way.
All of the encrypted email services I've seen so far, including Protonmail and now Lavabit v2, require using a special client (app or webmail) instead of common email software. This fails the very first test that I apply when trying to decide whether or not to use an online service: can I get all my data out of it on short notice, in a standard format through an automated process?
For email, this means IMAP access so that I can use standard tools like imapcopy to back up and migrate my mailbox. I don't care how secure your product is if it leads to vendor lock-in. I want both good encryption and an exit strategy, and the latter is much more important because if you screw up, I can always move to someone who does it better.
The 5 eyes spy globally. U.S. citizens are the only ones with legal protection and (limited) recourse for U.S. government spying, AFAIK.
If a U.S. citizen uses a French or Icelandic mail host, I suspect the U.S. foreign intelligence agencies have free reign to spy on them. I wonder what the limits are for the FBI and other domestic agencies.
I don't think it is. See https://europa.eu/european-union/about-eu/countries_en
Vendors also provide ways to validate HSM's
Also Ladar Levison twitter: https://twitter.com/kingladar
If he lost control of his domain, he will tweet about it.
I guess your point is that he is using Let's Encrypt instead of CA that would verify person or Lavabit LLC identity. In this case, it is not really an issue. If you are not going to check the cert manually every day, pinned Let's Encrypt cert is not way worse given that you have other means to verify ownership.
Why can't they just receive, encrypt with my public key, let my client decrypt with private?
Given a symmetric key, it can only be outgoing, but again - why would you do that on the server?
This is the hard part of an modern cryptosystem and the usual source of weakness.
edit: Signed up. Half off for life is a sweet deal.
I would suggest to use https://posteo.de instead. They offer anonymous payment by post (I'm just a happy user).
I glanced at it. It may offer anonymous signup but it uses standard mail protocols. Almost every email Posteo processes for its users reveals their identities.
I give away my name and credit card info to plenty of websites. That won't help someone crack my private key used for lavabit any easier.
Too bad imap.lavabit.com:143 is firewalled on their side.
Folks: encryption is not mainly for doing dark, bad things. It is normal and reasonable to want to control who comes into your house, who reads your email, and who can track your every move.
Stop naming your tools as if they were for bad guys.
Lavabit Guy, of all people, should realize that encryption isn't worth beans to anyone if the rest of society thinks it's Bad and Should Be Punished.
So stop making it sound like that. That's Step 0.
Not saying this is what happened of course but without legislation all 'secure servers' must be considered corrupted or corruptible. There isn't a technical solution to trust.
..or even going into extreme tinfoil hat mode - how do we even know this is the same person. Again no technical solution
Edit: why the down vote? - perhaps a counter argument would be better, I'd like to be proved wrong.
Well, there is but it's not email and it's not as convenient as end to end encrypted messages. You just need to meet up once in a while -not a problem for most communication-and exchange random data which you use either to encrypt the whole message one time pad style, or piece by piece as passwords. One pair of random data per contact. Lavabit or spookmail or whoever don't get anything exciting to look at other than who is communicating.
Sitting here in West Africa, watching the news, we didn't see much peace during the rioting in the streets in (I assume) Washington
I am in the process of signing up now, just to restore access and get the hell away from that service. Email is insecure, we know that.