I suspect he would have deleted everything if he could (when we shut down our mail service at Silent Circle, we deleted everything specifically because we still could). If he did it after this whole show got started, it would very likely have led to even more significant contempt (or even obstruction) charges.
Destroying everything does indeed cause some pain, but it also sets a very definite upper bound on just how much pain is possible (especially for your customers).
Does this not mean that the NSA could patiently log all the traffic going in and out of the site over the next few days, then get a court order for this new SSL private key, then decrypt the traffic they collected?
I may have misunderstood, but doesn't that make this something of a trojan horse? Many users will login and try to download all their email, and for everyone who does, when the NSA (very likely) get a court order for the new SSL key, they'll have that large amount of private email everyone tried to copy from the site?
Perhaps... but does it not seem rather a little odd that someone so knowledgeable about security who had Forward Secrecy on before would now /accidentally/ get a new certificate without it?
This doesn't make sense, he would have had forward secrecy on unless there was some reason not to do so (like he was compelled not to, or if he isn't even the one doing all this).
This is something that striked me as missing in the Lavabit key warrant discussion: was Forward Secrecy merely an option on the server before the shutdown, or was it enforced on all connections, regardless of client support?
If not all connections used it, FBI / NSA are probably now in the position to decrypt earlier recordings of user sessions, thus recovering the passwords, email contents etc...
From reading the ssllabs report, it looks like even with the current setup, sessions by IE and Safari (also Android?) users can be recovered once the new key is obtained via court order.
If he intended to give the government access to your email, wouldn't there be much easier to implement and harder to detect ways of accomplishing it than a wonky cipher suite setting?
This is probably wandering too far into conspiracy territory, but what if he's being forced to do it but doesn't want to, and this is his way of obeying badly?
I don't think that's at all too far into conspiracy territory. Keep in mind that him being forced to do something and obeying badly (because he couldn't talk publicly about it) is a pretty precise description of the events leading up to the shutdown.
Forward secrecy in this instance does not matter one bit.
Presuming they've imaged the drives with their encrypted mail, all they'd have to do is a half-dozen line patch to the code to log the passwords to disk as they come in.
Then they can decrypt everyone's private keys, and decrypt everyone's mail, PFS or no.
Anyone sending their Lavabit password outside of their own home is simply asking for someone else to decrypt and read their email.
If I had been a Lavabit customer, I would see this cipher suite as him saying-without-saying that this service is suspect and is to be avoided at all costs.
The majority of lavabit users probably joined on principle and would not be harmed by the NSA having their secrets at present. For those users the convenience of getting hold of all their mail (if they didn't have a local backup) might be worth the tradeoff of having to change their password and risk the NSA recording/decrypting their data on lavabit. Others could simply not access the data if they want to leave it encrypted.
Occam's razor, for once, actually supports the conspiracy theory.
It's far more likely that Levison has been bullied into 72 hours of snooping to avoid contempt than that he's suddenly decided, months after shutting down, for no reason at all, to open up a window for users to grab their emails.
So then he suddenly, after all this time, woke up and decided, "hey, you know all those hosts I shut down and mothballed? I'm going to fire them up NOW, spend some time restoring backups, reconfiguring things where necessary, while facing possible contempt charges, for an arbitrary number of hours, with a new keypair, signed by a US certification authority, without ephemeral keys, and invite everyone who has been avoiding snooping by state entities to log in with their private credentials!" ?
He could have done this a while ago, but he didn't.
He could have relaunched fully, under a new entity, but he didn't.
Well, it's certainly possible, but I'd like to point out one thing. IANAL, but I've been through enough to know that courts will often/always consider the aspect of compliance known as "good faith". It's almost certain that handing over the key and them immediately changing it would be seen by the presiding judge as compliance in bad faith, and would put him in a substantially worse position with regard to possible contempt. Given this, unless Levison is legally suicidal, I think it's a fair bet that any relaunch using a new key pair was done, at the very least, with the blessing of the feds and/or the judge. And I can only think of one reason the feds would give such a blessing.
With or without ephemeral keys, when people log in, the servers will, at the time of login, have access to the passwords of the users — the same passwords used to decrypt the private keys which can access those users' encrypted email messages.
Hypothesis 1: He wants to give low profile users, the kind that use it for mundane things (because why not use cryptography?) the chance to recover their mail at the cost of a privacy leak. In his hurry he forgot the minor detail of PFS. Fetching their email now is not for the paranoid anyway. The alphabets have root.
Hypothesis 2: The alphabets set it up as a trap and simply forgot to turn on PFS like before.
Interestingly, in both scenarios the activity will be very logged and the alphabets will get all your data, but absence of PFS is unrelated to this.
With Forward Secrecy disabled when it wasn't before, it only being a quick configuration change to re-enable it (I'm talking two or three lines in Apache or nginx), and no discernible gain in disabling it other than to make it easier for people to look through the traffic after the fact... it's almost the only explanation.
Either that or there's an amount of incompetence here that should might as well amount to the same degree of stay away.
However, the server is probably not actively compromised, because if it was they could use PFS and still listen in. It is still required, however, that they'll need either to own this key pair being used at some point to listen in to the traffic.
But that would mean that they can likely change the key pair on the server but for some reason they can't enable PFS, even though once they have access to the server in production, PFS is useless... so... who knows on that part.
tl;dr: If they get the key pair later (even if years later through brute forcing or whatnot) and don't have access to the server, then PFS disabled is a bad thing. If they have control over the server or the server logs all the session keys and they receive these at some point in time, then PFS enabled is, of course, a useless thing. If they don't get the key pair at any point, then it's fine, but I'd consider that unlikely.
Edit: The proper way forward is to estimate the chance they will get the key, which might as well call at 50-50, multiply that by the losses you would incur where they to gain access to these emails (and that's likely to amount to $0 for the vast majority, sorry if I'm being presumptuous and devaluing privacy) and compare that to the losses incurred if you didn't have access to these emails. Counter-intuitively arising from that, for some it might even make sense to connect assuming that traffic is intercepted, to show that they are boring and are using Lavabit for very mundane reasons.
Hypothetically speaking, could you download the files over Tor from public wifi and be protected? Or, is Tor now considered insecure due to exit node monitoring?
Thank you for the explanation. I guess my previous thought was made under the assumption that this was not some sort of law enforcement honeypot. If in fact they are just listening for your username/password on the server, there ain't no way around it.
> Since the SSL certificates formerly used to protect access to Lavabit have been compromised, we recommend manually validating the serial number and fingerprint your computer received before using this website. [https://liberty.lavabit.com/]
What? If an active attacker is changing certificates on the fly, he's also surely able to change the values in the HTML content of the page.
This will add absolutely no security for the users, only false sense of security via complex-looking measures, and he should know this.
Yes, but no doubt some of Lavabit's users are more worried about random or targeted hackers, and not so worried about the US government. No need to give everyone the data just because one group already has it.
Actually this makes the most sense. When users type their passwords online in order to recover the data, NSA gets those passwords the same moment. I'm pretty sure Lavabit was forced to try to trick its users into giving their passwords one more time.
given the government is behind all this (which, after all, isn't too unlikely) at least some thug at some agency is now furious because of us here and commenters all over the web warning people. the question arising in their minds, and certainly meetings, is "what to do about people talking?".
now, you'll just wait what happens and be as surprised by the outcome as you've been with the surveillance revelations this year.
Did anyone else take a look at the site source code?
For a trap, it's pretty damn obvious. The form submits the user name and password in plain text over the "secured" connection--the one that doesn't support forward secrecy, operated by a provider who's already known to be compelled to disclose SSL private keys.
Further, I can't imagine Ladar willingly set this up. This means that not only can they compel Ladar to hand over his private SSL keys, but they can apparently compel him to take positive action to fuck over his users. <s> Talk about a free country! </s>
56 comments
[ 2.9 ms ] story [ 114 ms ] threadMaybe if he destroyed everything apart from the one user account they claim they want access to?
Destroying everything does indeed cause some pain, but it also sets a very definite upper bound on just how much pain is possible (especially for your customers).
Does this not mean that the NSA could patiently log all the traffic going in and out of the site over the next few days, then get a court order for this new SSL private key, then decrypt the traffic they collected?
I may have misunderstood, but doesn't that make this something of a trojan horse? Many users will login and try to download all their email, and for everyone who does, when the NSA (very likely) get a court order for the new SSL key, they'll have that large amount of private email everyone tried to copy from the site?
EDIT: And hope the relevant courts are not running during those 72 hours?
They only ordered him to disclose the old ssl key, maybe it doesn't apply to the new one?
This doesn't make sense, he would have had forward secrecy on unless there was some reason not to do so (like he was compelled not to, or if he isn't even the one doing all this).
If not all connections used it, FBI / NSA are probably now in the position to decrypt earlier recordings of user sessions, thus recovering the passwords, email contents etc...
From reading the ssllabs report, it looks like even with the current setup, sessions by IE and Safari (also Android?) users can be recovered once the new key is obtained via court order.
No idea about before the warrant, but I don't see any good reason to think it changed it changed
https://news.ycombinator.com/item?id=6518430
The certificate isn't what control PFS, it's the allowed (and preferred) cipher suites.
You can enable PFS without changing your cert.
Presuming they've imaged the drives with their encrypted mail, all they'd have to do is a half-dozen line patch to the code to log the passwords to disk as they come in.
Then they can decrypt everyone's private keys, and decrypt everyone's mail, PFS or no.
Anyone sending their Lavabit password outside of their own home is simply asking for someone else to decrypt and read their email.
If I had been a Lavabit customer, I would see this cipher suite as him saying-without-saying that this service is suspect and is to be avoided at all costs.
Exactly my thoughts too.
At least this option gives the users that choice.
I believe it now implements Forward Secrecy...
It's far more likely that Levison has been bullied into 72 hours of snooping to avoid contempt than that he's suddenly decided, months after shutting down, for no reason at all, to open up a window for users to grab their emails.
Occam's razor says he replaced the compromised ssl key (the one the court ordered him to hand over)
Ladar shut down his servers than accept snooping on all his users, I certainly doubt he just decided after all this fighting to just give up.
He could have done this a while ago, but he didn't.
He could have relaunched fully, under a new entity, but he didn't.
He chose NOW, to relaunch for only 72 hours. Why?
The court records were just unseal on October 2nd.
>He could have done this a while ago, but he didn't.
Maybe he's been working on it since the 2nd?
>He could have relaunched fully, under a new entity, but he didn't.
Why would that change anything? This would only serve to hurt his existing customers.
>He chose NOW, to relaunch for only 72 hours. Why?
Again, maybe he's been working on it since the 2nd?
He's flying back from Brussels to DC tomorrow. Then back to Dallas on 20 Oct.
So he's in DC while the server is up.
source: personal communication (SMS)
Interestingly, in both scenarios the activity will be very logged and the alphabets will get all your data, but absence of PFS is unrelated to this.
Either that or there's an amount of incompetence here that should might as well amount to the same degree of stay away.
However, the server is probably not actively compromised, because if it was they could use PFS and still listen in. It is still required, however, that they'll need either to own this key pair being used at some point to listen in to the traffic.
But that would mean that they can likely change the key pair on the server but for some reason they can't enable PFS, even though once they have access to the server in production, PFS is useless... so... who knows on that part.
tl;dr: If they get the key pair later (even if years later through brute forcing or whatnot) and don't have access to the server, then PFS disabled is a bad thing. If they have control over the server or the server logs all the session keys and they receive these at some point in time, then PFS enabled is, of course, a useless thing. If they don't get the key pair at any point, then it's fine, but I'd consider that unlikely.
Edit: The proper way forward is to estimate the chance they will get the key, which might as well call at 50-50, multiply that by the losses you would incur where they to gain access to these emails (and that's likely to amount to $0 for the vast majority, sorry if I'm being presumptuous and devaluing privacy) and compare that to the losses incurred if you didn't have access to these emails. Counter-intuitively arising from that, for some it might even make sense to connect assuming that traffic is intercepted, to show that they are boring and are using Lavabit for very mundane reasons.
SSL protects an adversary from seeing what you're talking about, not who you're talking to.
Tor will prevent an adversary from seeing who you're talking to, but not (in itself) what you're talking about[0].
Here, the topic of concern is an adversary (in this case, the government) finding out what you're talking about, so Tor isn't relevant.
[0]Because the last step is unencrypted and sent in plain text, even though intermediate steps are encrypted.
What? If an active attacker is changing certificates on the fly, he's also surely able to change the values in the HTML content of the page.
This will add absolutely no security for the users, only false sense of security via complex-looking measures, and he should know this.
He could just let people download their data and decrypt it locally. Instead the site is prompting you for a password which it could freely capture.
now, you'll just wait what happens and be as surprised by the outcome as you've been with the surveillance revelations this year.
brave new world.
For a trap, it's pretty damn obvious. The form submits the user name and password in plain text over the "secured" connection--the one that doesn't support forward secrecy, operated by a provider who's already known to be compelled to disclose SSL private keys.
Further, I can't imagine Ladar willingly set this up. This means that not only can they compel Ladar to hand over his private SSL keys, but they can apparently compel him to take positive action to fuck over his users. <s> Talk about a free country! </s>