This is why you always encrypt on your machine not your email service. TBH I don't get why people get excited about things like Lavabit. You shouldn't be relying on one particular email service for security when email is not secure by design. Secure your content properly and then it shouldn't really matter what email service you use.
I agree with you, but sadly things like PGP are not universally adopted and can be a PITA to explain to someone not technically inclined. So it all boils down to the lack of standardized an universal encryption in e-mail.
Understanding the threat model is fundamental: If you don't know what this protects against, it might as well protect against nothing at all; My ISP received my emails in plaintext, so I have to assume that they've got a plaintext backup of those emails.
I believe the words Vincent Canfield, owner of cock.li (another secure email service) are relevant here:
>How can I trust you?
>You can't. Cock.li doesn't parse your E-mail to provide you with targeted ads, nor do I read E-mail contents unless it's for a legal court order. However, it is 100% possible for me to read E-mail, and IMAP/SMTP doesn't provide user-side/client-side encryption, so you're just going to have to take my word for it. Any encryption implementation would still technically allow me to read E-mail, too. This was true for Lavabit as well -- while your E-mail was stored encrypted (only if you were a paid member, which most people forget), E-mail could still technically be intercepted while being received / sent (SMTP), or while being read by your mail client (IMAP). For privacy, I would recommend encrypting your E-mails using PGP using a mail client add-on like Enigmail.
This was originally followed by a quote from /g/, which has been redacted for obvious reasons (if you want it, you know where to find it), save this line:
>Now that I think about it, administering a mail host is exactly like being a nurse, only people die slightly less often.
Hm, feels a bit weird. If they already got served with an order to share the data and they refused to comply, closing down the service instead, what can have changed today? Wouldn't this mean that someone else took up the service, agreed to the order and now this will become some sort of honeypot?
Maybe I'm misunderstanding something, but I don't understand how anyone could trust Lavabit to either stick around or actually be private and/or secure.
You could have a hardened gateway server with read-only storage and that only temporarily stores messages in memory.
Maybe a heterogenous bunch if them so you'd have to crack all of them to get all messages.
You could periodically reset them in case they still get infected.
You could add a transparant proxy that specifically looks for odd, repeated requests, to detect re-infectations.
You'd set up alerts for attempts at communication/scanning from those servers, to detect virusses trying to move laterally between the different instances, and/or isolate them from eachother on the network layer.
You could have a separare hardware device that scans the memory of these servers to detect tampering.
It could also try to detect "plaintextness" and abort as soon as it detects that, so you only have the beginning of the message in memory.
This doesn't help when the ISP is recording (and it probably is), but it makes it very hard to retrieve the data from inside the email datacenter.
This is retarded. If you try something this you will end up just like lavabit did. You can't rely on solutions that require the operator to remain honest.
I don't think it is? Fact is, if you use SMTP, you can only see if the content is encrypted or not once you receive part of it. The techniques I mentioned are to reduce the risk of these (partial) plaintexts being captured, but should be paired with a refusal to deliver.
There's no way to stop a user's contacts sending plaintext emails for all the ISP's/intelligence agencies to see, but you can make sure you touch them as little as possible when they do arrive (see GP) and discourage those contacts from doing it again by not delivering/returning error codes.
Unless you drop SMTP altogether. I think Riot with E2E is looking pretty good, but it's not been hardened at all.
>Fact is, if you use SMTP, you can only see if the content is encrypted or not once you receive part of it.
Then don't put your users at risk by using SMTP.
>The techniques I mentioned are to reduce the risk of these (partial) plaintexts being captured, but should be paired with a refusal to deliver.
Techniques you mentioned are nothing more than pointless showmanship, which you'll cease as soon as the government asks you to.
>There's no way to stop a user's contacts sending plaintext emails for all the ISP's/intelligence agencies to see
Which is why you shouldn't put them in a situation where they will inevitably do so.
>Unless you drop SMTP altogether.
If you're going to launch a service that advertises secure communications, you have to. Otherwise you're just endangering your users, just like lavabit did.
We're not talking hypotheticals here. Lavabit already fucked over their users trying to pull silliness like this.
> You could have a hardened gateway server with read-only storage and that only temporarily stores messages in memory.
Yeah, well, who is your adversary?
I assume NSA and GCHQ by default just log all SMTP traffic. Especially the ones to services like these.
If your adversary is someone sniffing your unencrypted WiFi connection, they'll have your unencrypted e-mail like this one as well.
If your adversary is network and sysadmins who run your SMTP server then all bets are off. I think the danger lies, just like within Tor, that there's a mole in such a team who does harm while being undetected.
If you're protecting against the local authorities ensuring to get a remote, secure connection with a country who isn't playing along with your local authorities is key. Which is why Putin wants Russians to use local services.
Force end to end PGP encryption for all users? If they do that then I'd assume they could hand over data and say "good luck".
They could also setup a P2P delivery & backup system so that it's not guaranteed they have the data. If all the data is encrypted, it's not really an issue to distribute everything (but then again we'd be talking AES512 or better for something crazy like that).
If you think AES512 isn't secure enough for your data you should not be hosting your mail server out of your network.....
Also, if you have a way to break AES512 I know some people who'd pay a killing to get that information. No litterally there's people who'd kill for that.
A brute-force attack on AES256 would currently take (10 * 2^256) / (4 * 10^9) seconds, assuming a 4Ghz CPU with 10 clock cycles per try. As long as my calculator tells me it takes "NAN" years to crack my encryption I'm not getting nervous. Quantum computing may change that, but it's currently in the weird space between ("all bets are off, anyway" and "it's not magic").
On top of that, I don't remember the specific assumptions but my Crypto professor proved that just to increment a counter to 2^256 would take more energy than exists in the observable universe.
I think also everyone is pretty sure quantum computing won't break AES, but maybe there's some weakness in the S/P boxes that quantum computers can exploit, who knows. That's the fun in crypto, you can't prove that anything other than OTP is unbreakable.
> On top of that, I don't remember the specific assumptions but my Crypto professor proved that just to increment a counter to 2^256 would take more energy than exists in the observable universe.
This proof is present in Schneier's "Applied Cryptography" if someone wants source.
> On top of that, I don't remember the specific assumptions but my Crypto professor proved that just to increment a counter to 2^256 would take more energy than exists in the observable universe.
Well, depending on the theory the universe isn't even supposed to have any net sum, but regardless: even at the Landauer limit (at room temperature; it scales linearly to absolute temp) it would take an awful lot of energy to do the computation non-reversibly, about:
2**256 * 256 * 2.5 zJ
~ 8e+58 J
Which is about 38 orders of magnitude greater than the total energy use of the world (~3.75e+11 GWs).
And any computer built so far is still far, far away from the Landauer limit.
There is also Bremermann's limit which is an intrinsic limit on the processing speed per mass. Eg. a machine that traverses a 256 bit key space in 15 years with one one bit operation per traversed key must weight at least ~1.8e+21 grams, which would be quite a chunk of machinery.
This just goes to show that brute-forcing 256 bits is simply not going to happen with any civilization that isn't able to harness the power of at least one star.
That doesn't say anything about cryptanalysis, though. I think with an algorithm like AES, which has been analysed a great many times, that it's becoming less likely that there is a cryptanalytic breakthrough. It might be the case that AES will remain secure throughout the information age.
"We can't implement "AES 512 key size" because AES is defined for key sizes k∈{128,192,256} bits only; much like we can't make a bicycle with 3 wheels."
I was about to disagree with the bicycle analogy, and realized that a tricycle is indeed different than a bicycle, at least by name & definition. Clever analogy.
There's no such thing as "end to end" encryption for webmail, unless you have a browser extension that can validate the JavaScript you were served from the host (which is capable of performing the decryption and obviously has access to your private key).
Otherwise you're just trusting that you've not been served backdoored JS by order of an NSL.
I wonder if they will attempt to use a 'canary' system, where each day they post a message to say they have not had to hand over any data to law enforcement. Then if they do get an order that says they cannot discuss, they just don't post the canary.You can't force someone to say something in the US can you?
How so? Enabling the canary only tells you that one or more was served/obeyed, and can't be used again. To me, 0-999 also tells me that one or more was served/obeyed.
It is four pages, the first page is mostly dedications and the last page is mostly blank. It will not take you much time to read the remaining two pages and develop your own understanding.
Here is how I am parsing it:
The Office of the Attorney General proposes two options:
1. Separate category reports for NSL, FISA content, and FISA non-content requests and customers affected.
2. A single report for all NSL and FISA requests, and a report for customers affected.
If you want to distinguish between the different kind of request (category 1) then you can report in blocks of 1,000, while if you don't, you can report in blocks of 250.
With how untested warrant canaries are in the courts, I wonder how a more detailed scheme would work. Every day making 1000 public statements, each of the form "We have received no more than N NSLs."
This always sounded fishy to me. When a NSL is served, they order you to keep silent about it, so you can't tell e.g. your own CISO. But if the CISO comes and asks, you're not ordered to lie and say you haven't received one? So if the CISO just asks you every morning, the NSL's order of keeping silent is defeated? I can't believe the courts and the executive that support NSLs in the first place would allow such a loophole.
If you find yourself in such a situation, you should consult with an attorney: Telling your CISO may put you and them at risk that you cannot understand.
While maybe literally true, "risk that you cannot understand" is a little overthreatening. Are you implying extrajudicial financial ruin, torture, murder? I doubt it, so what?
I'm trying not to imply anything, because every situation is different. Nevertheless, violating a federal order could have serious consequences, and if you need advice on this subject, you should talk to an attorney about it.
Yes, actually I do. Gag orders aren't unique to the NSL and if your attorney believes the case is too complicated they will be able to help you find a specialist.
The FBI does in fact has some guidance that your attorney will be able to locate[1]
Firstly, if it is illegal to tell the CISO about the NSL, it may also be illegal to tell some details to an attorney. At least, by going to an attorney, you're already taking some legal risk, in addition to incurring the extralegal wrath of the FBI.
Secondly, the FBI can serve an NSL to the CEO, a separate one to the CISO, and so on down the chain to the tech people whose job would be to fulfill the order. They can choose to serve one or some or all of these orders, and they can order some served people to cooperate and others to keep silent or lie to one another. It's not feasible to expect all of these people, some of whom are not officers of the company, to consult lawyers.
The FBI has some good material on this subject[1] and specifically permits you to disclose the NSL to your attorney so that you can comply with it.
Something important to understand is that non-disclosure is not an automatic feature of the NSL, but that disclosure binds the parties to the terms in the NSL.
> Secondly, the FBI can serve an NSL to the CEO, a separate one to the CISO, and so on down the chain to the tech people whose job would be to fulfill the order
Yes, they can, however that's not what happens. The general council may advise the CEO to disclose certain requirements or aspects of the NSL to the CISO or to other parties for the purposes of complying with the NSL. They will almost certainly not recommend disclosing or distributing the NSL "down the chain to the tech people".
> They will almost certainly not recommend disclosing or distributing the NSL "down the chain to the tech people".
I meant they might target the tech people directly from the start - or someone who isn't a C-level executive, anyway - if they think the CxOs would go to a lawyer and the lower level people would just comply.
Out of curiosity, how granular can the canary system be? Can say, for a Lavabit-like service, each e-mail address have a separate canary associated with it?
Not enough data yet. As court orders are served against entities, in this case a company, but agreements/contracts can also be made with an entity, a company has some unique properties many living organic entities do not posses, namely the ability to die, go bankrupt, cease to exist and then after a period of time come back to life again.
Maybe Lavabit is a phoenix?
Feels very weird, especially after checking the page source:
/*
Count down until any date script-
By JavaScript Kit (www.javascriptkit.com)
Over 200+ free scripts here!
Modified by Robert M. Kuhnhenn, D.O.
on 5/30/2006 to count down to a specific date AND time,
and on 1/10/2010 to include time zone offset.
*/
I mean, I get not reinventing the wheel, but given who they are, the fact that they're sourcing scripts from JavaScriptKit.com for something as simple as a countdown timer is odd. It's not even a good countdown script... like, it even has a y2k bug:
var today=new Date();
var todayy=today.getYear();
if (todayy < 1000) {
todayy+=1900; }
Kudos for not just stripping the attribution I guess, but I wouldn't trust whoever put up that website with my email, encryption or no.
Perhaps. But if you're copy-pasting scripts from other sources into your platform without [being capable of] vetting them, then it fundamentally undermines the security of the platform.
I wonder how they plan to approach security this time, given how much of the previous demise of Lavabit centered around how they had they ability to circumvent the encryption, despite some marketing claims that that wasn't the case
Something about me does not want to trust a webmail host who has an ad running on their front page reading "date rape appreciation station." This appalling lack of professionalism makes the entire service suspect to me.
edit: I would like to thank all the misogynists in this thread voting this down. Thanks for keeping tech a welcoming place for women and victims of assault!
Said person is also quoting from /g/. Why would you expect anything else?
OTOH, the guy does genuinely go to great lengths to protect the security of his site (and of the mail of his users), and seems to know what he's doing. So I'm not to down on him for the unprofessionalism.
I'm sure his service is just great, but, in the future, if you ever wonder why women don't go into tech (it seems so easy to, where are they?)- remember this. Tacit support of actors in the community like this make tech seem like a hostile place, or, at the very least, a boy's club of people okay with rape jokes.
Speaking of nurses (per quote), I worked with nurses before, the vast, vast majority of whom were female, and you'd probably be surprised at the never-ending stream of crude (dick) jokes and "sex-talk"...
Wonder if that's the reason there are so little men in nursing?!
That is different than making a joke at the expense of rape victims. Please think this through. The gender gap in another industry does not negate on in another.
I don't know where you get your "ideas", but I never said or claimed any of these things.
Then again, those nurses really were into joking about and belittling of patients, especially "stupid" ones, tho they did it behind the patients' backs of course.
I'm still not sure to this day if all of the ICU nurses calling the deceased "exes" as in "ex-living" was some kind of crude humor or a coping mechanism. Anyway, when I got my first call to collect an "ex" for pathology, I remember being stumped.
Then what were you trying to say? It looks like you were trying to draw equivalence between crude workplace humor in your line of work and the tech communities's acceptance of misoginistic rape jokes. That is what the thread was about and that is the context I placed your reply in.
That isn't any different than what gets sent out of a "normal" email provider. VC has just been willing to post the law enforcement subpoenas so we can actually see what is going on in the background.
I'm fairly certain cock.li is nowhere near the "tech community". I don't know where you're getting that connection from.
(also, I don't appreciate you strawmanning my comment.)
If it's not your sense of humor, you're welcome to not visit the site. In fact, for the conversation at hand, you didn't at all need to do that because the quote made sense without doing so.
You're taking this comment thread greatly off topic. That's the reason for the downvotes. Not misogyny or something. Claiming otherwise makes your remark sound almost stereotypical.
That is kinda missing the point and the comparison is off.
Except a joke itself, nothing is a joke, nothing is by definition humor except itself.
It is sort of like saying that an engine is not a plane, by no definition can an engine fly.
Which is true because an engine doesn't fly, planes do. (Or Apache Attack Helicopters)
Humor is something you build using other parts, it's more than the sum of it's parts, no single part in of itself is humor.
Secondly, there are no rules what humor is and what it is not except that it provides laughter and amusement. If somebody laughs about a rape joke, it's by definition humor, albeit (depending on joke) not a good one by most people's standards.
Lastly, there is something called "Gallows Humor" in which (to quote Freud) "the ego refuses to be distressed by [...] reality. It insists that it cannot be affected by the traumas of the external world."
As Wylie Sypher puts it, Gallows Humor is "to be able to laugh at evil and error means we have surmounted them".
It's a natural human instinct. (I'm shamelessly copying of Wikipedia here, I'm no expert in all topics)
So while, yes, rape is not a joke and it's a very horrible thing to those it happens to and we as a society should make efforts to not allow it to happen, it can only be healthy to make humor and jokes about it. Not to diminish the victims but to diminish the perpetrators. The perpetrator is worth nothing more than a joke to us, they have no further value or meaning in society and ought to be locked away forever after we thoroughly laughed, helping the victim to recover in the next step.
That is what I want from a strong and healthy society.
I don't think you quite understand: This isn't something generically out of the tech community. It came out of 4chan. This is also why we're all so blasé about it: it's 4chan.
Complaining that 4chan is offensive is a bit like complaining that knives cut things, and it won't get you much more sympathy. When I explicitly mentioned /g/, you should have known what you were in for. And if you didn't, the context might have tipped you off.
I don't think anything about cock.li is meant to imbue professionalism.
I think one of the points is that it almost immunizes them from psychological operations. [1]
I know it sounds conspiratorial, but social justice movements in online communities can be easily leveraged by orgs like the NSA to disrupt an organization. Combined with anti-meritocracy ideals, it's easy to get someone "at the top" who doesn't have any credentials (and who isn't really trying to get there for any other reason than disruption).
It might not be his actual strategy, but the offensive things serve as a deterrent against lowest common denominator character assassinations. He has no reputation to destroy.
I'm sorry that demands to be less awful to groups of people that aren't you make you feel like outside orgs are attacking your freedoms in some sort of conspiracy to destroy your insulated world, ESPECIALLY considering the context that the US has used malicious actors working against gender and racial equality to destabilize groups striving for better social justice.
That does sound like a disgusting ad, but this is the sort of off-topic generic tangent that invariably makes threads worse. You've also made it worse, below, by going into ideological flamewar. Please don't do these things on HN.
Complaining about downvotes is against the site guidelines (https://news.ycombinator.com/newsguidelines.html), so please don't do this either. Assuming that downvotes signify misogyny and then responding with outrage was a particularly huge and unhelpful leap.
There's really no coming back for Lavabit. Nobody can trust them anymore, and this isn't just about Lavabit, but about e-mail. If a person is privacy-conscious enough not to use Google, they know not to use anyone else either.
It depends on your definition of email. Email has already switched from UUCP to SMTP once, and https://darkmail.info/ calls what is developed 'Email 3.0'.
I may have missed something about the original Lavabit affair, but my take-away was always "He's proven to be the rare individual willing to take a significant hit for his principles".
If they now added whatever the state-of-the-art is for a service such as this, wouldn't that create quite a compelling service?
> If they now added whatever the state-of-the-art is for a service such as this, wouldn't that create quite a compelling service?
Right, but that wouldn't be e-mail, and this seems to be e-mail. He made the decision to shut down e-mail accounts (including mine!) to prevent data leakage and that is not a decision that anyone should be forced to make; it is a deficiency of the system.
Protonmail looks interesting. They do not store keys. They can only handover encrypted data. It is open source software. - https://protonmail.com/blog/switzerland/
Ah OK, I stand corrected, thanks. This must be recent then. They did not have this 4 or 5 months ago when I looked and I remember being quite surprised by this. I was told it was a feature that was on the roadmap. Why is this not listed on security details for the product I wonder?
First of all encryption which is what a master passphrase gives you is not the same as authentication. These are two different concerns.
Second, how well does that master passphrase plus local local key work for you when you are not on your laptop or when possibly using an untrusted computer?
Are you just trolling? Two factor authentication is not buzzword.
For their web client, the encryption is really only useful as long as you can guarantee that the JavaScript code has not been tampered with. Once a court orders them to hand over the private key of their TLS certificates (as has happened in the Lavabit case), it's game over for anyone able to man-in-the-middle the connection to Protonmail, or for anyone who's able to compromise their web server directly. It really isn't any better than Lavabit if exposed to that threat model.
The only added defense they have here is jurisdiction. It would be unconstitutional for a court in Switzerland to order them to hand over their private key, wouldn't it?
Nonsense. They could using additional installed software[1] or even their upstream ISPs could netflow/tcpdump the SMTP traffic. If the data is unencrypted coming in the door, you should assume it is always unencrypted.
I would not advise anyone to use these kinds of solutions -- they cannot offer any actual security guarantees and it is akin to walking around with a bullseye on your chest.
> They could using additional installed software[1] or even their upstream ISPs could netflow/tcpdump the SMTP traffic.
From memory, netflow is only the connection info (eg source/dest/byte count), and doesn't include any of the transferred data itself. Unless you were meaning straight tcpdump which could grab payload data.
Email is commonly sent over TLS too, which I think (though it's been a while) can be configured as mandatory on servers. eg not accepting unencrypted email
That doesn't mean this is what's happening here, I'm just pointing out it can be done. :)
> Email is commonly sent over TLS too, which I think (though it's been a while) can be configured as mandatory on servers. eg not accepting unencrypted email
However the thing that decrypts the TLS jacket isn't the user's key.
Might as well not be there for some threat models.
If by 'regular' subscription you mean the cheapest yes it is limited to 5, but you have the possibility to increase it by 5 by paying additional +0,75EUR/month, up to 50.
It's a proprietary service, though. Sending an encrypted e-mail to someone outside of Protonmail results in them getting a link to a https url to read the message.
I get that it's a legitimate POV that PGP has been proven to be unworkable (although I still don't see why a well-designed client integration wouldn't work). But e-mail is a wonderful, open ecosystem and it's already fighting against the onslaught of proprietary services like FB messenger, slack, iMessage etc. – all of which restrict access to it to approved clients if they allow them at all.
Slight nitpick, slack allows XMPP and IRC clients to connect if you get your admin to flip a switch. They can't obviously guarantee the security of arbitrary clients and so they have it turned off by default.
Email is a great and open system though. Horrible in many ways, but also wonderful.
And yes, email has all sorts of problems, although I'd argue that since the spam problem has essentially been solved none of those actually impact the end user anymore. I'd only wish that it were easier/possible to securely run your own mail server.
On the web side of things, it also appears as if we've gotten to a point where it's easy for the vendors (Google/Apple/MS) to innovate without threatening openness. I'd wish we'd be in the same situation for messaging/mail.
Yes, but beware, does not support local (encrypted) backups.
If their servers disappear for whatever reason (DDOS, legal issues, hardware problems,...) you end up with 0 e-mails. Nothing.
Without any details on why this time the service is secure and won't be able to hand over actual user data, it is hard to get excited about the relaunch. Also, nice marketing ploy with re-launching on Inauguration Day.
Looks like DIME hasn't been touched in a while. After the initial talk about this stuff a couple Defcons ago there doesn't seem to be much public progress.
Is this supposed to imply that they feel they'll have more freedom/less censorship under Trump (Jan 20 is inauguration day)? Does FISA change ownership/control between the parties when a president's term ends?
No, it's implying a heightened need for secure communications with the new administration.
And no, courts aren't owned by parties. FISA judges are appointed by the Chief Justice of the Supreme Court. That's been a conservative for the last, ugh..., well longer than FISA exists, anyway.
Also, even if I subscribed to the current dystopian view of politics, I'd argue it's never the parties that excerpt control of a court, but always the administration. There is, in theory as well as in practice, a difference between the two.
If it's running on a VPS on AWS or somewhere, it's still subject to the provider tampering with it.
Secondly, PGP is not nearly widespread enough to be considered secure and additionally provides no anonymity properties which in this day and age should be the focus of any secure e-mail provider.
Additionally, running your own email server also reduces the anonymity to basically null and leaves you with a weak pseudonymity at best.
146 comments
[ 0.21 ms ] story [ 262 ms ] threadUnderstanding the threat model is fundamental: If you don't know what this protects against, it might as well protect against nothing at all; My ISP received my emails in plaintext, so I have to assume that they've got a plaintext backup of those emails.
>How can I trust you?
>You can't. Cock.li doesn't parse your E-mail to provide you with targeted ads, nor do I read E-mail contents unless it's for a legal court order. However, it is 100% possible for me to read E-mail, and IMAP/SMTP doesn't provide user-side/client-side encryption, so you're just going to have to take my word for it. Any encryption implementation would still technically allow me to read E-mail, too. This was true for Lavabit as well -- while your E-mail was stored encrypted (only if you were a paid member, which most people forget), E-mail could still technically be intercepted while being received / sent (SMTP), or while being read by your mail client (IMAP). For privacy, I would recommend encrypting your E-mails using PGP using a mail client add-on like Enigmail.
This was originally followed by a quote from /g/, which has been redacted for obvious reasons (if you want it, you know where to find it), save this line:
>Now that I think about it, administering a mail host is exactly like being a nurse, only people die slightly less often.
Maybe I'm misunderstanding something, but I don't understand how anyone could trust Lavabit to either stick around or actually be private and/or secure.
Maybe a heterogenous bunch if them so you'd have to crack all of them to get all messages.
You could periodically reset them in case they still get infected.
You could add a transparant proxy that specifically looks for odd, repeated requests, to detect re-infectations.
You'd set up alerts for attempts at communication/scanning from those servers, to detect virusses trying to move laterally between the different instances, and/or isolate them from eachother on the network layer.
You could have a separare hardware device that scans the memory of these servers to detect tampering.
It could also try to detect "plaintextness" and abort as soon as it detects that, so you only have the beginning of the message in memory.
This doesn't help when the ISP is recording (and it probably is), but it makes it very hard to retrieve the data from inside the email datacenter.
Just have them rebuild themselves from ROM after each processed mail :)
There's no way to stop a user's contacts sending plaintext emails for all the ISP's/intelligence agencies to see, but you can make sure you touch them as little as possible when they do arrive (see GP) and discourage those contacts from doing it again by not delivering/returning error codes.
Unless you drop SMTP altogether. I think Riot with E2E is looking pretty good, but it's not been hardened at all.
Then don't put your users at risk by using SMTP.
>The techniques I mentioned are to reduce the risk of these (partial) plaintexts being captured, but should be paired with a refusal to deliver.
Techniques you mentioned are nothing more than pointless showmanship, which you'll cease as soon as the government asks you to.
>There's no way to stop a user's contacts sending plaintext emails for all the ISP's/intelligence agencies to see
Which is why you shouldn't put them in a situation where they will inevitably do so.
>Unless you drop SMTP altogether.
If you're going to launch a service that advertises secure communications, you have to. Otherwise you're just endangering your users, just like lavabit did.
We're not talking hypotheticals here. Lavabit already fucked over their users trying to pull silliness like this.
Yeah, well, who is your adversary?
I assume NSA and GCHQ by default just log all SMTP traffic. Especially the ones to services like these.
If your adversary is someone sniffing your unencrypted WiFi connection, they'll have your unencrypted e-mail like this one as well.
If your adversary is network and sysadmins who run your SMTP server then all bets are off. I think the danger lies, just like within Tor, that there's a mole in such a team who does harm while being undetected.
If you're protecting against the local authorities ensuring to get a remote, secure connection with a country who isn't playing along with your local authorities is key. Which is why Putin wants Russians to use local services.
You can't rely on your ability to block them either, or you'll end up just like lavabit did.
They could also setup a P2P delivery & backup system so that it's not guaranteed they have the data. If all the data is encrypted, it's not really an issue to distribute everything (but then again we'd be talking AES512 or better for something crazy like that).
Also, if you have a way to break AES512 I know some people who'd pay a killing to get that information. No litterally there's people who'd kill for that.
They could encrypt with two(or more) 256bits keys, but I think just 256bits key is enough for at least next 5years.
I think also everyone is pretty sure quantum computing won't break AES, but maybe there's some weakness in the S/P boxes that quantum computers can exploit, who knows. That's the fun in crypto, you can't prove that anything other than OTP is unbreakable.
This proof is present in Schneier's "Applied Cryptography" if someone wants source.
Well, depending on the theory the universe isn't even supposed to have any net sum, but regardless: even at the Landauer limit (at room temperature; it scales linearly to absolute temp) it would take an awful lot of energy to do the computation non-reversibly, about:
Which is about 38 orders of magnitude greater than the total energy use of the world (~3.75e+11 GWs).And any computer built so far is still far, far away from the Landauer limit.
There is also Bremermann's limit which is an intrinsic limit on the processing speed per mass. Eg. a machine that traverses a 256 bit key space in 15 years with one one bit operation per traversed key must weight at least ~1.8e+21 grams, which would be quite a chunk of machinery.
This just goes to show that brute-forcing 256 bits is simply not going to happen with any civilization that isn't able to harness the power of at least one star.
That doesn't say anything about cryptanalysis, though. I think with an algorithm like AES, which has been analysed a great many times, that it's becoming less likely that there is a cryptanalytic breakthrough. It might be the case that AES will remain secure throughout the information age.
"We can't implement "AES 512 key size" because AES is defined for key sizes k∈{128,192,256} bits only; much like we can't make a bicycle with 3 wheels."
[0] http://crypto.stackexchange.com/questions/20253/why-we-cant-...
Otherwise you're just trusting that you've not been served backdoored JS by order of an NSL.
There's no need for this (anymore). You're already allowed to disclose (coarsely) the number of NSL you've received[1].
[1]: https://www.justice.gov/iso/opa/resources/366201412716018407...
> You can't force someone to say something in the US can you?
Unclear. The EFF believes you can't be compelled to lie, however you should consult an attorney with details of the specifics.
Here is how I am parsing it:
The Office of the Attorney General proposes two options:
1. Separate category reports for NSL, FISA content, and FISA non-content requests and customers affected.
2. A single report for all NSL and FISA requests, and a report for customers affected.
If you want to distinguish between the different kind of request (category 1) then you can report in blocks of 1,000, while if you don't, you can report in blocks of 250.
This always sounded fishy to me. When a NSL is served, they order you to keep silent about it, so you can't tell e.g. your own CISO. But if the CISO comes and asks, you're not ordered to lie and say you haven't received one? So if the CISO just asks you every morning, the NSL's order of keeping silent is defeated? I can't believe the courts and the executive that support NSLs in the first place would allow such a loophole.
The point being made upthread is that there is no black and white guidance, there is no secret NSL Guide Book for attornies.
The FBI does in fact has some guidance that your attorney will be able to locate[1]
[1]: https://vault.fbi.gov/National%20Security%20Letters%20%28NSL...
Secondly, the FBI can serve an NSL to the CEO, a separate one to the CISO, and so on down the chain to the tech people whose job would be to fulfill the order. They can choose to serve one or some or all of these orders, and they can order some served people to cooperate and others to keep silent or lie to one another. It's not feasible to expect all of these people, some of whom are not officers of the company, to consult lawyers.
Something important to understand is that non-disclosure is not an automatic feature of the NSL, but that disclosure binds the parties to the terms in the NSL.
[1]: https://vault.fbi.gov/National%20Security%20Letters%20%28NSL...
> Secondly, the FBI can serve an NSL to the CEO, a separate one to the CISO, and so on down the chain to the tech people whose job would be to fulfill the order
Yes, they can, however that's not what happens. The general council may advise the CEO to disclose certain requirements or aspects of the NSL to the CISO or to other parties for the purposes of complying with the NSL. They will almost certainly not recommend disclosing or distributing the NSL "down the chain to the tech people".
I meant they might target the tech people directly from the start - or someone who isn't a C-level executive, anyway - if they think the CxOs would go to a lawyer and the lower level people would just comply.
Lavabit LLC - Dallas TX and Colo4, LLC - St Louis MO.
(Insert your own joke here about Americans not caring about mass surveillance...)
edit: I would like to thank all the misogynists in this thread voting this down. Thanks for keeping tech a welcoming place for women and victims of assault!
OTOH, the guy does genuinely go to great lengths to protect the security of his site (and of the mail of his users), and seems to know what he's doing. So I'm not to down on him for the unprofessionalism.
It's not a sustainable atmosphere to maintain
Wonder if that's the reason there are so little men in nursing?!
Then again, those nurses really were into joking about and belittling of patients, especially "stupid" ones, tho they did it behind the patients' backs of course.
I'm still not sure to this day if all of the ICU nurses calling the deceased "exes" as in "ex-living" was some kind of crude humor or a coping mechanism. Anyway, when I got my first call to collect an "ex" for pathology, I remember being stumped.
By the same logic there should be no dark humor involving murder since it makes things hostile for everyone (everyone can be murdered).
Infact, there should be no text talking about violence since that would makes things hostile for everyone.
You're not supposed to trust it or take it seriously, at all.
It's just a host for fun, for people from *chan websites.
I'm really not sure what you're expecting.
Come on, as a tech community we deserve and can do better.
(also, I don't appreciate you strawmanning my comment.)
If it's not your sense of humor, you're welcome to not visit the site. In fact, for the conversation at hand, you didn't at all need to do that because the quote made sense without doing so.
You're taking this comment thread greatly off topic. That's the reason for the downvotes. Not misogyny or something. Claiming otherwise makes your remark sound almost stereotypical.
Rape is not a joke, by no definition is it humor.
Except a joke itself, nothing is a joke, nothing is by definition humor except itself.
It is sort of like saying that an engine is not a plane, by no definition can an engine fly.
Which is true because an engine doesn't fly, planes do. (Or Apache Attack Helicopters)
Humor is something you build using other parts, it's more than the sum of it's parts, no single part in of itself is humor.
Secondly, there are no rules what humor is and what it is not except that it provides laughter and amusement. If somebody laughs about a rape joke, it's by definition humor, albeit (depending on joke) not a good one by most people's standards.
Lastly, there is something called "Gallows Humor" in which (to quote Freud) "the ego refuses to be distressed by [...] reality. It insists that it cannot be affected by the traumas of the external world."
As Wylie Sypher puts it, Gallows Humor is "to be able to laugh at evil and error means we have surmounted them".
It's a natural human instinct. (I'm shamelessly copying of Wikipedia here, I'm no expert in all topics)
So while, yes, rape is not a joke and it's a very horrible thing to those it happens to and we as a society should make efforts to not allow it to happen, it can only be healthy to make humor and jokes about it. Not to diminish the victims but to diminish the perpetrators. The perpetrator is worth nothing more than a joke to us, they have no further value or meaning in society and ought to be locked away forever after we thoroughly laughed, helping the victim to recover in the next step.
That is what I want from a strong and healthy society.
Obviously, this is why South Park crashed and burned, and isn't now in its 20th season.
Complaining that 4chan is offensive is a bit like complaining that knives cut things, and it won't get you much more sympathy. When I explicitly mentioned /g/, you should have known what you were in for. And if you didn't, the context might have tipped you off.
I don't think anything about cock.li is meant to imbue professionalism.
I think one of the points is that it almost immunizes them from psychological operations. [1]
I know it sounds conspiratorial, but social justice movements in online communities can be easily leveraged by orgs like the NSA to disrupt an organization. Combined with anti-meritocracy ideals, it's easy to get someone "at the top" who doesn't have any credentials (and who isn't really trying to get there for any other reason than disruption).
It might not be his actual strategy, but the offensive things serve as a deterrent against lowest common denominator character assassinations. He has no reputation to destroy.
[1] https://theintercept.com/2014/02/24/jtrig-manipulation/
Complaining about downvotes is against the site guidelines (https://news.ycombinator.com/newsguidelines.html), so please don't do this either. Assuming that downvotes signify misogyny and then responding with outrage was a particularly huge and unhelpful leap.
We detached this subthread from https://news.ycombinator.com/item?id=13295658 and marked it off-topic.
If they now added whatever the state-of-the-art is for a service such as this, wouldn't that create quite a compelling service?
i agree with that...
Although it seems 'incompetence' instead of 'evilness', he still provided a service which was not safe by design: https://moxie.org/blog/lavabit-critique/
Right, but that wouldn't be e-mail, and this seems to be e-mail. He made the decision to shut down e-mail accounts (including mine!) to prevent data leakage and that is not a decision that anyone should be forced to make; it is a deficiency of the system.
https://protonmail.com/support/knowledge-base/two-factor-aut...
https://protonmail.com/security-details
Second, how well does that master passphrase plus local local key work for you when you are not on your laptop or when possibly using an untrusted computer?
Are you just trolling? Two factor authentication is not buzzword.
They say they do not store keys.
> They can only handover encrypted data.
Nonsense. They could using additional installed software[1] or even their upstream ISPs could netflow/tcpdump the SMTP traffic. If the data is unencrypted coming in the door, you should assume it is always unencrypted.
I would not advise anyone to use these kinds of solutions -- they cannot offer any actual security guarantees and it is akin to walking around with a bullseye on your chest.
[1]: http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSKC...
From memory, netflow is only the connection info (eg source/dest/byte count), and doesn't include any of the transferred data itself. Unless you were meaning straight tcpdump which could grab payload data.
Email is commonly sent over TLS too, which I think (though it's been a while) can be configured as mandatory on servers. eg not accepting unencrypted email
That doesn't mean this is what's happening here, I'm just pointing out it can be done. :)
However the thing that decrypts the TLS jacket isn't the user's key.
Might as well not be there for some threat models.
protonmail is one of the worst in that regard with only 5 aliases on a regular subscription.
I get that it's a legitimate POV that PGP has been proven to be unworkable (although I still don't see why a well-designed client integration wouldn't work). But e-mail is a wonderful, open ecosystem and it's already fighting against the onslaught of proprietary services like FB messenger, slack, iMessage etc. – all of which restrict access to it to approved clients if they allow them at all.
Email is a great and open system though. Horrible in many ways, but also wonderful.
And yes, email has all sorts of problems, although I'd argue that since the spam problem has essentially been solved none of those actually impact the end user anymore. I'd only wish that it were easier/possible to securely run your own mail server.
On the web side of things, it also appears as if we've gotten to a point where it's easy for the vendors (Google/Apple/MS) to innovate without threatening openness. I'd wish we'd be in the same situation for messaging/mail.
Tell that to the Indian recruiters who flood my mailbox.
Yes, but beware, does not support local (encrypted) backups. If their servers disappear for whatever reason (DDOS, legal issues, hardware problems,...) you end up with 0 e-mails. Nothing.
https://darkmail.info/
We'll see what he puts up.
And no, courts aren't owned by parties. FISA judges are appointed by the Chief Justice of the Supreme Court. That's been a conservative for the last, ugh..., well longer than FISA exists, anyway.
Also, even if I subscribed to the current dystopian view of politics, I'd argue it's never the parties that excerpt control of a court, but always the administration. There is, in theory as well as in practice, a difference between the two.
Secondly, PGP is not nearly widespread enough to be considered secure and additionally provides no anonymity properties which in this day and age should be the focus of any secure e-mail provider.
Additionally, running your own email server also reduces the anonymity to basically null and leaves you with a weak pseudonymity at best.
I am looking forward to trying darkmail, or whatever they're branding it as now.