In a move applauded by cyber security experts, encrypted email service Lavabit, which was forced to shut down in 2013 after refusing to comply with a court order demanding access to their SSL keys to snoop on Edward Snowden’s emails, is being revived.
Three years ago, Lavabit CEO Ladar Levison had had possession of the Texas-based company’s SSL encryption key, which would have allowed the government to obtain Snowden’s password. Even though the FBI insisted it was only after Snowden’s account, this was the master key to the infrastructure that would have helped the FBI agents obtain other users’ credentials as well, thereby destroying all privacy and security with the company.
The pressure on Lavabit was similar to the pressure the FBI was applying to Apple when the agency was requesting Apple release their keys in early 2016. So rather than compromising the security and privacy of Lavabit’s 410,000 customers, they decided to close entirely, shutting off access to those customers email accounts.
Yesterday, Levison announced that he is reviving Lavabit with a brand new architecture that fixes the weakest link, namely the SSL problem. According to Levison, this was the single biggest threat, and now includes other privacy-enhancing features that will help its users send emails that even he can’t gain access to.
Levison will be releasing the source code for a Free, Libre, and Open Source end-to-end encrypted global email standard which promises surveillance-proof messaging that even hides the metadata on emails in order to prevent agencies such as the NSA or FBI from being able to find out who Lavabit users are in communication with.
The new standard, deemed the Dark Internet Mail Environment (DIME), has been released on GitHub for the code to be reviewed. DIME is designed to operate in conjunction with a mail server program called Magma.
Levison stated in a blog post:
“DIME is the only automated, federated, encryption standard designed to work with different service providers while minimizing the leakage of metadata without a centralized authority…
By encrypting all facets of an email transmission (body, metadata, and transport layer), DIME guarantees the security of users and the least amount of information leakage possible.”
Levison said the Magma server is designed to offer an easy to use program so that even non tech savvy users with existing email clients can use the Lavabit encrypted email service easily. The new DIME standard also includes a ‘Trustful’ encryption mode, which would require users to trust the server in order to manage the encryption and their respective keys.
“The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing,” Levison said in his blog post.
Furthermore, DIME also offers “Cautious Mode” and “Paranoid Mode” for the users who want absolute control over their encryption keys, so their keys never can be transmitted anywhere. Paranoid Mode would mean Lavabit will never be able to store a user’s private keys on its server.
In the beginning of this rollout, the new Lavabit service will only be accessible to its existing customers and only available in Trustful mode. However, if you were not a former Lavabit customer before the service shut down, you may pre-register and wait for the eventual rollout of the revamped service.
Email and general communication privacy as well as security has been an incredibly tricky business. These examples include, but are not limited to, the compromising of Yahoo email servers of 1 billion users, the attempts to breach private communications in Apple devices, WhatsApp encryption, journalists being targeted by the US, as well as other governments, and Hillary Clinton operating her own poorly maintained private email server.
The biggest threat to privacy and security in cyberspace seems to be from government agencies, who have a poor understanding of the importance of cyber security. Technologically illiterate politicians need to understand once and for all, “A backdoor for one, is an exploit for all.”