The secure mail dilemma: If it's useable, it's probably insecure

'The writing's on the wall' – PGP daddy's crypto firm

High performance access to file storage

Mail providers must choose: Silent compliance or shutdown

Lavabit boasts en estimated 400,000 users. Many of its users were left frustrated by the speed of unfolding events, with some using its official Facebook page to ask for the re-opening of its servers to recover data while many more (not necessarily customers) express support for the decision.

Lavabit and Silent Circle's actions reveal the stark choice with which service providers are faced: silent compliance to secret government orders or oblivion. In a statement, the Electronic Frontier Foundation (EFF) urged service providers of all sizes the push back against overly broad US government surveillance and interception requests.

The EFF said in a blog post.

Lavabit’s ominous note and the lack of information about this case is especially concerning for users of large communication service providers like Facebook and Google that may well have been subject to similar pressure, and we hope they will continue to fight for the user in the face of government demands, even if not recognized for years.

We need more transparency so the public can know and understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity. Hopefully Congress will get concerned, especially when there are American jobs at stake.

Meanwhile, sysadmin-in-hiding Snowden told The Guardian's Glenn Greenwald, his chief collaborator in the leak of details of the NSA's controversial and wide-ranging surveillance programmes, that he found Lavabit's stand "inspiring". He told Greenwald:

Ladar Levison and his team suspended the operations of their 10 year old business rather than violate the Constitutional rights of their roughly 400,000 users. The President, Congress, and the Courts have forgotten that the costs of bad policy are always borne by ordinary citizens, and it is our job to remind them that there are limits to what we will pay.

America cannot succeed as a country where individuals like Mr Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren't fighting for our interests the same way small businesses are. The defence they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.

When Congress returns to session in September, let us take note of whether the internet industry's statements and lobbyists - which were invisible in the lead-up to the Conyers-Amash vote - emerge on the side of the Free Internet or the NSA and its Intelligence Committees in Congress.

Put it in the cloud... but make your own backups

Antivirus industry expert Paul Ducklin said the suspension of services by Lavabit had broader lessons for uses of cloud services.

"Lots of people seem to think that cloud services remove the need for you to keep your own backups, on the principle that 'you don't buy a dog and bark yourself'," Ducklin said in a post on Sophos's Naked Security blog. "But even if your cloud provider has impeccable credentials in respect of integrity and confidentiality, the availability of your data may be threatened by circumstances outside the control of either of you."

Privacy-conscious users have been left short of choices for secure email alternatives with the suspension of services from Lavabit and Silent Mail.

Hushmail, which offers web-based email service offering PGP-encrypted email and file storage, is based in Canada, but users with long memories will recall that Hush Communications was obliged to turn over clear text copies of email messages associated with several addresses back in 2007. This was the result of a court order under a Mutual Legal Assistance Treaty between Canada and the US, as a part of a drug trafficking investigation.

Hushmail's marketing claims at the time stated that not even its own staff could access encrypted email, but in reality, its server-side encryption option did create a means to recover plain-text versions of scrambled communication. Hushmail updated its terms of service soon after the incident became public knowledge in November 2007 to clarify that encrypted emails sent through the service can still be turned over to law enforcement officials, providing said officials obtain a court order in Canada.

PGP creator Phil Zimmermann, who helped to found the service, defended Hushmail's compliance with court orders at the time, arguing that users who pick web-based products for their ease of use can't expect absolute security.

Long-term collaborator Callas, who first worked with Zimmerman at PGP Corporation, expanded on the reasons for Silent Mail's decision to drop its secure email service, less than four months after its launch in April.

Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.

And yet, many people wanted it. Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.

Despite these inherent drawbacks, Snowden is rumoured to have used the Hushmail service at least at recently as March 2013, at least according to this investigation of his online footprint.

Several firms produce Firefox extensions that allow users to encrypt Gmail or other webmail, listed in an informative article by Computerworld here. These services might be a good option for some people – however we can't say for sure that they're bulletproof.

So what SHOULD we use?

The best option available to individuals who are concerned about privacy is probably to secure their own email using PGP rather than relying on any web mail service, say the experts.

If you want to go even more secure than that, then secure instant messaging alternatives such as OTR (Off-the-Record Messaging, a secure IM protocol) or Silent Text might be a preferable option.

Infosec and opsec experts on Twitter are coming up with some alternatives but are nowhere near any kind of consensus, while many of them note that losing the usability of email would be a bitter pill to swallow.

Difficult-to-use systems are inherently less secure, not least because it's human nature to look for shortcuts. What's needed might be a secure version of Skype, according to some experts.

Those that still believe in secure email were offered a champion in the larger-than-life shape of Kim Dotcom, who promised to launch a service next year.

"‪#Mega‬'s open encrypted email service outside of ‪#NSA‬ reach will change the way people use email forever. You'll see. Coming 2014," he said in an update on Twitter, before adding, "‪#Mega‬ encrypted services will put an end to mass surveillance. Where politicians fail us & laws won't protect us, innovation will save us."

"‪#Mega‬ plans to move privacy operations away from New Zealand to Iceland if the new ‪#GCSB‬ & ‪#TICS‬ spy laws are becoming reality," he added. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.