Feeds

The secure mail dilemma: If it's useable, it's probably insecure

'The writing's on the wall' – PGP daddy's crypto firm

5 things you didn’t know about cloud backup

Analysis The sudden closure of two secure email services may cause many privacy-conscious people to begin looking for alternatives. However, security experts warn that any service provider may be put under pressure to comply with authorities, and this might kill off secure mail as we know it.

Lavabit's Levison: No more palaver, I'm lathered over {redacted}

The issue has become even more of a hot topic among infosec professionals since Texas-based Lavabit – reportedly NSA whistleblower Edward Snowden's preferred email provider – announced it was going to roll down the shutter on services on Thursday.

Ladar Levison, the owner of Lavabit, said the firm had "decided to suspend operations" in the face of US legal pressure over recent weeks as an unpalatable but better alternative to becoming “complicit in crimes against the American people”.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.

I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Levison is careful not to say this directly, but the implication is that he was either served with a court order from the Foreign Intelligence Surveillance Court or a National Security Letter. Both legal documents come with compulsory gag orders. You can see an interview with Nicholas Merrill, one of the few people to win the right to talk about a National Security Letter he was served with, here.)

Man-in-the-middle attack likely only way to get around encryption

Lavabit encrypts stored messages using public key cryptography as well as encrypting the contents of email in transit to guard against eavesdropping. This means that without a customer's private key nobody - not even Levison – can unscramble message.

This is a marked difference from bigger webmail providers such as Google's Gmail or Microsoft's Outlook.com, which hold the keys that would allow them to unscramble messages and turn them over to the authorities, if compelled.

Email stored on Lavabit's servers was encrypted using asymmetric elliptical curve cryptography, as explained in documents about its architecture. This service was only available to holders of premium accounts (among them, reportedly, Edward Snowden, who was said to have maintained the somewhat prosaic address edsnowden@lavabit.com).

The Feds might be seeking to intercept communications in transit between Levabit and its customers using some form of man in-the-middle attack or even seeking to plant government-sanctioned malware, El Reg's security desk speculates. If Snowden was the intended target then all sorts of exotic zero-day exploits might have been brought into play.

This is all complete guesswork on our part and all we know for sure is that Lavabit shut itself down to avoid complying with something it found intolerable while it takes its case to the Fourth Circuit Court of Appeals.

The owner of the boutique email service provider said he hoped to relaunch Lavabit in the US providing its pending appeals court case goes its way. It has begun soliciting donations for a legal defence fund.

Levison said the whole experience had taught him a "very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States," he said.

PGP daddy shuts down new secure email service

Hours later PGP daddy Phil Zimmerman's Silent Circle said it was shutting down its recently inaugurated email service rather than having to face the possibility of receiving a secret court order in future.

The firm is continuing with its core business of supplying secure messaging and encrypted voice apps for smartphones. But Silent Circle said it had unplugged and wiped its email service even in absence of any search or seizure order from government.

"We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now," Jon Calls, Silent Circle's CTO, explains in a blog post. "We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now."

Silent Circle runs its servers in Canada and has plans to expand to Switzerland. For the time being, though, it only has offices in the US and UK. However, despite having a presence outside the US, the owners still decided they wouldn't able to continue Silent Mail in good conscience.

Any UK firm offering similar services to Lavabit and Silent circle would have to comply with RIPA and any other future local law, such as the Snoopers' Charter, if it is ever reanimated.

And any service provider in the EU would be obliged to adhere to the Data Retention Directive, which specifies (among other things) that

each [member state's] authority shall in particular be endowed with investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties.

Setting up a secure ISP in an EU state means living with a regime little more friendly than that which exists in the US.

"All EU member states have to comply with the Data Retention Directive," Brian Honan, of BH Consulting and founder of Ireland's CSIRT told El Reg. "Each EU member state will implement the directive differently and will also have their own local laws too."

Honan said the only secure alternative is a DIY approach using encryption tools such as PGP. And even that approach won't always work – either due to a failure to use the technology properly or malware infection.

"Use PGP on the desktop as only you have access to your private key. For extra protection keep private key separate from PC," Honan told El Reg

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.