Lavabit shut down in 2013 over refusal to hand SSL key

Jan 23, 2017 13:23 GMT  ·  By

Encrypted email service Lavabit, which Edward Snowden used to communicate, is back again, stronger than ever, with new features to ensure people’s privacy and more to come.

Over the weekend, The Intercept reported that Lavabit was making a return after its 2013 shutdown. The new service has a new architecture to fix the SSL problem, as well as other features meant to enhance privacy for all users and one way to obscure metadata on emails, which will prevent the likes of the NSA and FBI to find out whom you have been communicating with.

In the future, Ladar Levison also intends to implement end-to-end encryption, so users benefit from complete security when sending emails.

In case you do not remember, back in 2013, Ladar Levison became somewhat of an icon for the security community after he refused to help federal agencies, choosing instead to shut down Lavabit. The FBI was, at the time, trying to access one of the most prominent accounts the service had - that of Edward Snowden, famed whistleblower. The feds kept saying that all they were after was Snowden’s account, but they were requesting the SSL encryption key for the entire service, which would have put at risk all the 410,000 users it had at the time.

This time around, Levison hopes to simply offer users the encryption they need, and with it, the security they desire. “What we are hoping for is that by the end of this year we will be more secure than any of the other encrypted messaging apps out there on the market,” Levison told The Intercept.

What’s more, Snowden himself wants to show support to Lavabit by reactivating his account, as he told the publication. While he cannot yet speak about the safety of the relaunched service, he wants to applaud their courage, especially since, after all, it was mostly his presence on the service that led to its closing.

How about the old users?

Lavabit used to have over 410,000 users, all of whom lost their emails once the service was shut down. Existing users will be able to reinstate their old accounts with the new architecture in place, but they will not yet have access to the lost data. Levison is not even sure that they will be able to migrate those old emails to the new platform since they are in a completely different data format.

Account holders are instructed to log in over IMAP or POP so their encrypted passwords, usernames, and keys can be regenerated under the new architecture Levison set in place.

We can't help you!

This time around, Lavabit would not have an SSL key to hand over to the authorities even if they wished to do so. In fact, the key will now be stored in a hardware security module. This means that Lavabit generates a long passphrase randomly, so the company does not know what it is. It then inserts that key into the device and kills the passphrase. It cannot pull the SSL key back out once it was put in there. If anyone tries to get it out of there, it self-destructs.

This is, more or less, a technique used by Apple. In the dispute Apple had with US authorities over the iPhone of the San Bernadino shooter, Apple said it could not get into the phone because of the security scheme the iPhone had been built with. This led to a lengthy quarrel between the FBI and the tech company which only died out when the FBI eventually found another way to access the data on the device.