The secure mail dilemma: If it's useable, it's probably insecure

'The writing's on the wall' – PGP daddy's crypto firm

Reducing security risks from open source software

Mail providers must choose: Silent compliance or shutdown

Lavabit boasts en estimated 400,000 users. Many of its users were left frustrated by the speed of unfolding events, with some using its official Facebook page to ask for the re-opening of its servers to recover data while many more (not necessarily customers) express support for the decision.

Lavabit and Silent Circle's actions reveal the stark choice with which service providers are faced: silent compliance to secret government orders or oblivion. In a statement, the Electronic Frontier Foundation (EFF) urged service providers of all sizes the push back against overly broad US government surveillance and interception requests.

The EFF said in a blog post.

Lavabit’s ominous note and the lack of information about this case is especially concerning for users of large communication service providers like Facebook and Google that may well have been subject to similar pressure, and we hope they will continue to fight for the user in the face of government demands, even if not recognized for years.

We need more transparency so the public can know and understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity. Hopefully Congress will get concerned, especially when there are American jobs at stake.

Meanwhile, sysadmin-in-hiding Snowden told The Guardian's Glenn Greenwald, his chief collaborator in the leak of details of the NSA's controversial and wide-ranging surveillance programmes, that he found Lavabit's stand "inspiring". He told Greenwald:

Ladar Levison and his team suspended the operations of their 10 year old business rather than violate the Constitutional rights of their roughly 400,000 users. The President, Congress, and the Courts have forgotten that the costs of bad policy are always borne by ordinary citizens, and it is our job to remind them that there are limits to what we will pay.

America cannot succeed as a country where individuals like Mr Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren't fighting for our interests the same way small businesses are. The defence they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.

When Congress returns to session in September, let us take note of whether the internet industry's statements and lobbyists - which were invisible in the lead-up to the Conyers-Amash vote - emerge on the side of the Free Internet or the NSA and its Intelligence Committees in Congress.

Put it in the cloud... but make your own backups

Antivirus industry expert Paul Ducklin said the suspension of services by Lavabit had broader lessons for uses of cloud services.

"Lots of people seem to think that cloud services remove the need for you to keep your own backups, on the principle that 'you don't buy a dog and bark yourself'," Ducklin said in a post on Sophos's Naked Security blog. "But even if your cloud provider has impeccable credentials in respect of integrity and confidentiality, the availability of your data may be threatened by circumstances outside the control of either of you."

Privacy-conscious users have been left short of choices for secure email alternatives with the suspension of services from Lavabit and Silent Mail.

Hushmail, which offers web-based email service offering PGP-encrypted email and file storage, is based in Canada, but users with long memories will recall that Hush Communications was obliged to turn over clear text copies of email messages associated with several addresses back in 2007. This was the result of a court order under a Mutual Legal Assistance Treaty between Canada and the US, as a part of a drug trafficking investigation.

Hushmail's marketing claims at the time stated that not even its own staff could access encrypted email, but in reality, its server-side encryption option did create a means to recover plain-text versions of scrambled communication. Hushmail updated its terms of service soon after the incident became public knowledge in November 2007 to clarify that encrypted emails sent through the service can still be turned over to law enforcement officials, providing said officials obtain a court order in Canada.

PGP creator Phil Zimmermann, who helped to found the service, defended Hushmail's compliance with court orders at the time, arguing that users who pick web-based products for their ease of use can't expect absolute security.

Long-term collaborator Callas, who first worked with Zimmerman at PGP Corporation, expanded on the reasons for Silent Mail's decision to drop its secure email service, less than four months after its launch in April.

Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.

And yet, many people wanted it. Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.

Despite these inherent drawbacks, Snowden is rumoured to have used the Hushmail service at least at recently as March 2013, at least according to this investigation of his online footprint.

Several firms produce Firefox extensions that allow users to encrypt Gmail or other webmail, listed in an informative article by Computerworld here. These services might be a good option for some people – however we can't say for sure that they're bulletproof.

So what SHOULD we use?

The best option available to individuals who are concerned about privacy is probably to secure their own email using PGP rather than relying on any web mail service, say the experts.

If you want to go even more secure than that, then secure instant messaging alternatives such as OTR (Off-the-Record Messaging, a secure IM protocol) or Silent Text might be a preferable option.

Infosec and opsec experts on Twitter are coming up with some alternatives but are nowhere near any kind of consensus, while many of them note that losing the usability of email would be a bitter pill to swallow.

Difficult-to-use systems are inherently less secure, not least because it's human nature to look for shortcuts. What's needed might be a secure version of Skype, according to some experts.

Those that still believe in secure email were offered a champion in the larger-than-life shape of Kim Dotcom, who promised to launch a service next year.

"‪#Mega‬'s open encrypted email service outside of ‪#NSA‬ reach will change the way people use email forever. You'll see. Coming 2014," he said in an update on Twitter, before adding, "‪#Mega‬ encrypted services will put an end to mass surveillance. Where politicians fail us & laws won't protect us, innovation will save us."

"‪#Mega‬ plans to move privacy operations away from New Zealand to Iceland if the new ‪#GCSB‬ & ‪#TICS‬ spy laws are becoming reality," he added. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.