The secure mail dilemma: If it's useable, it's probably insecure

'The writing's on the wall' – PGP daddy's crypto firm

High performance access to file storage

Analysis The sudden closure of two secure email services may cause many privacy-conscious people to begin looking for alternatives. However, security experts warn that any service provider may be put under pressure to comply with authorities, and this might kill off secure mail as we know it.

Lavabit's Levison: No more palaver, I'm lathered over {redacted}

The issue has become even more of a hot topic among infosec professionals since Texas-based Lavabit – reportedly NSA whistleblower Edward Snowden's preferred email provider – announced it was going to roll down the shutter on services on Thursday.

Ladar Levison, the owner of Lavabit, said the firm had "decided to suspend operations" in the face of US legal pressure over recent weeks as an unpalatable but better alternative to becoming “complicit in crimes against the American people”.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.

I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Levison is careful not to say this directly, but the implication is that he was either served with a court order from the Foreign Intelligence Surveillance Court or a National Security Letter. Both legal documents come with compulsory gag orders. You can see an interview with Nicholas Merrill, one of the few people to win the right to talk about a National Security Letter he was served with, here.)

Man-in-the-middle attack likely only way to get around encryption

Lavabit encrypts stored messages using public key cryptography as well as encrypting the contents of email in transit to guard against eavesdropping. This means that without a customer's private key nobody - not even Levison – can unscramble message.

This is a marked difference from bigger webmail providers such as Google's Gmail or Microsoft's Outlook.com, which hold the keys that would allow them to unscramble messages and turn them over to the authorities, if compelled.

Email stored on Lavabit's servers was encrypted using asymmetric elliptical curve cryptography, as explained in documents about its architecture. This service was only available to holders of premium accounts (among them, reportedly, Edward Snowden, who was said to have maintained the somewhat prosaic address edsnowden@lavabit.com).

The Feds might be seeking to intercept communications in transit between Levabit and its customers using some form of man in-the-middle attack or even seeking to plant government-sanctioned malware, El Reg's security desk speculates. If Snowden was the intended target then all sorts of exotic zero-day exploits might have been brought into play.

This is all complete guesswork on our part and all we know for sure is that Lavabit shut itself down to avoid complying with something it found intolerable while it takes its case to the Fourth Circuit Court of Appeals.

The owner of the boutique email service provider said he hoped to relaunch Lavabit in the US providing its pending appeals court case goes its way. It has begun soliciting donations for a legal defence fund.

Levison said the whole experience had taught him a "very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States," he said.

PGP daddy shuts down new secure email service

Hours later PGP daddy Phil Zimmerman's Silent Circle said it was shutting down its recently inaugurated email service rather than having to face the possibility of receiving a secret court order in future.

The firm is continuing with its core business of supplying secure messaging and encrypted voice apps for smartphones. But Silent Circle said it had unplugged and wiped its email service even in absence of any search or seizure order from government.

"We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now," Jon Calls, Silent Circle's CTO, explains in a blog post. "We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now."

Silent Circle runs its servers in Canada and has plans to expand to Switzerland. For the time being, though, it only has offices in the US and UK. However, despite having a presence outside the US, the owners still decided they wouldn't able to continue Silent Mail in good conscience.

Any UK firm offering similar services to Lavabit and Silent circle would have to comply with RIPA and any other future local law, such as the Snoopers' Charter, if it is ever reanimated.

And any service provider in the EU would be obliged to adhere to the Data Retention Directive, which specifies (among other things) that

each [member state's] authority shall in particular be endowed with investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties.

Setting up a secure ISP in an EU state means living with a regime little more friendly than that which exists in the US.

"All EU member states have to comply with the Data Retention Directive," Brian Honan, of BH Consulting and founder of Ireland's CSIRT told El Reg. "Each EU member state will implement the directive differently and will also have their own local laws too."

Honan said the only secure alternative is a DIY approach using encryption tools such as PGP. And even that approach won't always work – either due to a failure to use the technology properly or malware infection.

"Use PGP on the desktop as only you have access to your private key. For extra protection keep private key separate from PC," Honan told El Reg

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.