Lavabit is back

Ladar Lewison

Lavabit is an anonymous postal service that Edward Snowden used while in Sheremetyevo in June 2013. The service supported encryption of mail in the browser before sending, and the mail archive on the server was stored in encrypted form.

In August 2013, the Lavabit service unexpectedly closed . “Dear friends, I was forced to make a difficult choice: to become an accomplice in a crime against the American people, or to give up almost ten years of hard work and close Lavabit. After much deliberation, I decided to stop working, ”the founder and owner of the company, Ladar Levison, wrote then, leaving thousands of users at a loss.

After closing the protected Lavabit service, Ladar Lewison himself stopped using email at all . “If you knew what I know, you would do the same,” he said.
')
Only a year later, Levison was able to provide details of the legal process , as a result of which the postal service had to be closed. This is a cruel story that, on the ugly side, shows the characteristics of American democracy and the judicial system, something like a mixture of Kafka and Orwell . The process took place behind closed doors, and only thanks to the appeal, with the help of the Electronic Frontier Foundation and the American Civil Liberties Union , the case documents were published .

The FBI and the judiciary strongly pressed Lewison, in every way interfered with his defense in court, which was held in secrecy. He received a court order to issue TLS keys, refused to execute the order, eventually destroyed the keys and erased the files. Before closing, about 410 thousand mail accounts were registered in Lavabit, including the account of Edward Snowden.

Subsequently, it turned out that the pressure of the authorities on Lavabit occurred precisely because of the surveillance of Snowden . The FBI and the Department of Justice did not admit that they needed access to the Lavabit servers for the sole purpose of reading this person’s mail. But they leaked a document in which they forgot to fill in a line with information about the object of investigation. It contains the email address Ed_Snowden@lavabit.com .

Thanks to his irreconcilable position in the confrontation with the state machine, Ladar Levison became a real hero in the information security community.

It took three and a half years after the closure of Lavabit, and now Levison announced a plan for reviving the company and restarting the service. January 20, 2017 such an announcement is published on the main page of lavabit.com .

After restarting, Lavabit is based on a new architecture that should solve the problem of a single SSL key, which Ladar calls the main threat and the most vulnerable point in a cryptographic web-mail system. Having an SSL key, special services can gain access to a secure channel between the client and the server, which compromises user names and passwords. Now this problem is solved as follows: the key is stored in the FIPS 140-2 cryptographic module. So you can use TLS encryption without having direct access to the key. The key from the module can only be retrieved from the HSM Supervisor account. Therefore, Lavabit blindly generates a long passphrase for this account, and it becomes unavailable for anyone, including themselves.

The new architecture is based on the Dark Internet Mail Environment (DIME) platform, the development of which the author began in 2014, having collected initial funds on Kickstarter. For this service with end-to-end encryption, a new mail server Magma, a free open source project, has also been developed. The source code for Magma is published on Github .

According to the developer, DIME supports several security modes ( gullible, cautious, and paranoid modes ) and "radically different from any other cryptographic platform." He "solves security problems that others don’t pay attention to." DIME is the only standard for automated, integrated encryption designed to work with different service providers, while at the same time minimizing the leakage of metadata in the absence of a central focal point. DIME provides strong end-to-end encryption, but “is flexible and simple enough for a regular user who does not have a doctor’s degree in cryptography,” Ladar Levison writes.

Now Lavabit performs the procedure of restoring old user accounts, which by default are restored in a gullible mode, but without access to the archive of old messages. Later, registration will open for new users, including in the cautious and paranoid security modes. Pre-registration is now open at half price.

These are only the first steps on a long journey to restore Lavabit, in the future we plan to develop graphic clients for Windows, Mac OS X / iOS and Linux / Android.

Edward Snowden said in a commentary on The Intercept that he plans to restore his Lavabit account when the service starts, “just to support their bravery.”

“Today we give ourselves democratic power to keep our personalities safe. Under our constant supervision, privacy will be restored, and the final encryption will be automatic, omnipresent and open. In the name of freedom and justice, ”writes Ladar Levison.