Feeds

The secure mail dilemma: If it's useable, it's probably insecure

'The writing's on the wall' – PGP daddy's crypto firm

Security for virtualized datacentres

Analysis The sudden closure of two secure email services may cause many privacy-conscious people to begin looking for alternatives. However, security experts warn that any service provider may be put under pressure to comply with authorities, and this might kill off secure mail as we know it.

Lavabit's Levison: No more palaver, I'm lathered over {redacted}

The issue has become even more of a hot topic among infosec professionals since Texas-based Lavabit – reportedly NSA whistleblower Edward Snowden's preferred email provider – announced it was going to roll down the shutter on services on Thursday.

Ladar Levison, the owner of Lavabit, said the firm had "decided to suspend operations" in the face of US legal pressure over recent weeks as an unpalatable but better alternative to becoming “complicit in crimes against the American people”.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.

I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Levison is careful not to say this directly, but the implication is that he was either served with a court order from the Foreign Intelligence Surveillance Court or a National Security Letter. Both legal documents come with compulsory gag orders. You can see an interview with Nicholas Merrill, one of the few people to win the right to talk about a National Security Letter he was served with, here.)

Man-in-the-middle attack likely only way to get around encryption

Lavabit encrypts stored messages using public key cryptography as well as encrypting the contents of email in transit to guard against eavesdropping. This means that without a customer's private key nobody - not even Levison – can unscramble message.

This is a marked difference from bigger webmail providers such as Google's Gmail or Microsoft's Outlook.com, which hold the keys that would allow them to unscramble messages and turn them over to the authorities, if compelled.

Email stored on Lavabit's servers was encrypted using asymmetric elliptical curve cryptography, as explained in documents about its architecture. This service was only available to holders of premium accounts (among them, reportedly, Edward Snowden, who was said to have maintained the somewhat prosaic address edsnowden@lavabit.com).

The Feds might be seeking to intercept communications in transit between Levabit and its customers using some form of man in-the-middle attack or even seeking to plant government-sanctioned malware, El Reg's security desk speculates. If Snowden was the intended target then all sorts of exotic zero-day exploits might have been brought into play.

This is all complete guesswork on our part and all we know for sure is that Lavabit shut itself down to avoid complying with something it found intolerable while it takes its case to the Fourth Circuit Court of Appeals.

The owner of the boutique email service provider said he hoped to relaunch Lavabit in the US providing its pending appeals court case goes its way. It has begun soliciting donations for a legal defence fund.

Levison said the whole experience had taught him a "very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States," he said.

PGP daddy shuts down new secure email service

Hours later PGP daddy Phil Zimmerman's Silent Circle said it was shutting down its recently inaugurated email service rather than having to face the possibility of receiving a secret court order in future.

The firm is continuing with its core business of supplying secure messaging and encrypted voice apps for smartphones. But Silent Circle said it had unplugged and wiped its email service even in absence of any search or seizure order from government.

"We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now," Jon Calls, Silent Circle's CTO, explains in a blog post. "We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now."

Silent Circle runs its servers in Canada and has plans to expand to Switzerland. For the time being, though, it only has offices in the US and UK. However, despite having a presence outside the US, the owners still decided they wouldn't able to continue Silent Mail in good conscience.

Any UK firm offering similar services to Lavabit and Silent circle would have to comply with RIPA and any other future local law, such as the Snoopers' Charter, if it is ever reanimated.

And any service provider in the EU would be obliged to adhere to the Data Retention Directive, which specifies (among other things) that

each [member state's] authority shall in particular be endowed with investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties.

Setting up a secure ISP in an EU state means living with a regime little more friendly than that which exists in the US.

"All EU member states have to comply with the Data Retention Directive," Brian Honan, of BH Consulting and founder of Ireland's CSIRT told El Reg. "Each EU member state will implement the directive differently and will also have their own local laws too."

Honan said the only secure alternative is a DIY approach using encryption tools such as PGP. And even that approach won't always work – either due to a failure to use the technology properly or malware infection.

"Use PGP on the desktop as only you have access to your private key. For extra protection keep private key separate from PC," Honan told El Reg

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.