Lavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike

Trust and Security

I think what the article highlights is the sad fact that - unless you are very skilled - somewhere along the line, to - at the very least, appear to yourself to - be secure; you have to trust someone.

Even if that someone is someone who you have never met, but on whose software/hardware/services/stuff - that you probably do not have full knowledge of - you rely for security. Whether someone is an individual, (open source) group, business or a global advertising agency.

Once extended to privacy from governments, it becomes impossible for all but the extremely skilled to retain any certainty that any of their communications and/or data - stored on a connected device - is truly private.

If you wanted to design a communication and dissemination system that offered privacy to the individuals using the system; you wouldn't design the internet, as it is (and is used) today. Indeed, if privacy was your overriding design aim, probably any connected-system at all.

If we are not there already, then in the near future most of any (absolute) personal-privacy will exist only in the anonymity offered by crowds (in clouds!?).

Secure email

There are several open source and private projects using javascript to encode forms in pgp in the browser, so your form content is encrypted before the form is sent. It gets decrypted at the other end. For example:

http://openpgpjs.org/

and

http://www.hanewin.net/encrypt/

Also http://tectite.com offers an encoder product that you use in conjunction with the browser's https encryption. You use https to send forms from the browser to the server, then encode with tectite encoder at the server and send to an email box (where the person has the tectite decoder.)

Both these solutions provide end-to-end encryption of form data. So email in the browser (which is usually sent as a form) can be protected by strong encryption in ways lavabit and others do not offer. Both of these solutions are used for credit card data, hippa compliance, and other secure email.

The article seems to say that the only effective protection Lavabit offered depended on its certificate private key. Which the FBI (not NSA) obtained a warrant for.

PGP (or GPG) may be a bit of a pain, as is sidestepping webmail, but requires you to trust only the recipient (or the sender, if you are the recipient). And, of course, the PGP/GPG implementer, and the OS in use, and the compiler used to prepare it, and so on.

Ladar Levison may be more trustworthy than Google or Microsoft, but I really don't know any of them, and don't have, on personal knowledge, reason to trust any of them more or less than the others.

Levinson has responded

At Ars:

http://arstechnica.com/security/2013/11/op-ed-lavabits-founder-responds-to-cryptographers-criticism/

He says Moxie is wrong about some of his assumptions, but agrees that the big issue about having only one SSL certificate was his biggest mistake.

PKI

It seems to me that the only secure email system, is email with receiver specific PKI content; it then doesn't matter who stores it, because only the receiver can decrypt it. The only snags I can see with this are maintaining security of local raw text and private keys, the requirement that both ends consistently use PKI to avoid email chain leaks, no CC or BCC support, and the sender not being able re-view content for already encrypted sent emails; however the last one could be seen as a benefit.

It maybe that the only really secure transport is an encrypted direct end-to-end pipe, like SSL, with disposable PKI, rather than indirect messaging solutions.

no need to build - learn to use pgp

there is no need for anyone to build anything. for secure mail what you want is already available,-- for free.

start by switching to Linux,-- I recommend MINT

read and follow instructions regarding maintenance: stick to the official software store.

switch your e/mail to a commercial supplier -- not one of the free ones like Hotmail, Google, or Yahoo. I use Charter, and CoreComm services.

next switch your e/mail onto the THUNDERBIRD client -- that comes with Linux/MINT (also Ubuntu if you prefer ). spend a little time learning to use Thunderbird. it uses IMAP servers -- so you can share mail on your iphone (that isn't encrypted) .

activate the ENIGMAIL plugin on Thunderbird. this uses the GnuPG version of PGP.

use the OpenPGP dialog on Thunderbird to generate your PGP keypair. set 1 year expiration date; load your public key to the keyserver. be sure to generate and save the key revoke certificate (JIC).

locate, dowload, and read Phil Zimmerman's essay on PGP, paying particular attention to the section on protecting public keys from tampering. learn what the Trust Model is -- and how to control it.

find a pardner to begin exchanging PGP mail with

remember there are 3 main advantages to PGP (ENIGMAIL) mail

+authentication

+integrity

+security

authentication allows you to ascertain with reasonable certainty that an e/mail is from the party which clains to have sent it. without this i can send you an e/mail and mark it from anyone i want -- your boss -- or Nixon or Kruschev

integrity allows you to be reasonably sure that you have a correct copy of a message; that the message has not been modified in-transit by someone using (e.g.) a "Man in the Middle" attack. This is CRITICAL for software distributions and financial transactions .

security allows you to encrypt messages so that you can be reasonbly sure only the intended recipient can read them . this is a lot better than putting a disclaimer in your signature block saying something to the effect "if you weren't supposed to get this please cover for me, thanks"

NSA can still apply a traffic analysis on you: ascertain who you are talking to and this won't ever go away on public networks -- switched circuit -- or packet switched . but to get the messages now they have to hit YOU with a subpoena. hitting your ISP won't help: Your ISPcouldn't read your traffic in any reasonable timeframe or at any reasonable cost -- no matter how much they wanted to .

remember though you are subject to the AUP you signed with you ISP. the government could tell ISPs that PGP mail traffic must not be allowed. in which case we'll come up with a new Plan .

what the NSA were after

I assume that the NSA were not necessarily after the mails themselves. Rather they knew that Snowden used the service and were therefore interested in catching him communicating with the service in order to track back to where he might physically be located.

Far too much focus is being put on the security of email servers or the mail sitting on them, when the vast majority of mail sent between networks is not encrypted at all, and is trivial for the NSA to hoover up. Emails are typically assumed to be a digital equivalent of a letter, but they're really more like the digital equivalent of a postcard, because anyone en route can read the contents without any need to 'open' it, or without there being any indication to the recipient that the message was read by someone else. You should not really send anything by email that you would not send by postcard - because it's almost certainly being read and even recorded by people less honest and decent than your average postman (and in my experience, that's a pretty low bar).

Moxie was correct ...

Exec Summary -- Moxie was right, major players are untrustworthy, practical solutions require legislation, current security is ridiculous, good security is likely possible but not likely to happen, all of us have to skill *way up* on security.

Moxie was correct in both tone and substance. The Lavabit system was fundamentally insecure. In Levison's defense, I do not think he was either malicious or stupid. Security is like an onion with unlimited layers. There is always another weakness. Moxie could have been gratuitously unkind in his criticism, but limited himself to pointing out the one glaring weakness. Levison admits to the weakness, but obscures the admission with a lot of talk about other aspects of the system. We are only concerned ultimately with a chain breaking. If the weakest link is not strong enough to hold, the chain breaks and is no longer useful.

All of the big players have to know that reasonable security is possible. Unfortunately, it is not in their interest to destroy valuable information about people.

We know that a true one time pad is secure. In essence, all security is aimed at faking one-time pads. As we wander away from a pure design, security diminishes.

In the Lavabit case, if the data was encrypted on a one-time pad before being sent to the server there is no way the mail could be read. This would still leave the matter of traffic logs, but that is a network issue that Lavabit could not solve on their own anyway.

We need to have secure end to end communications. It is possible, but a lot more technical people have to skill up and understand the issues. I don't exclude myself from that, BTW.

The most potent immediate cure is to make it illegal to eavesdrop on private communications, illegal to possess ill-gotten information and make any ill-gotten evidence inadmissible for any purpose. This is not perfect, but would greatly raise the cost and diminish the value of eavesdropping.

Technically, we can secure end-to-end communications and intermediate storage by encrypting on 'effective one time pads' -- simulated one-time pads created with very large keys. To secure identity, we would need a secure push/pull 'store and forward' system whereby all traffic is posted anonymously by one party and retrieved anonymously by another. The details of such a system get complicated, but it is doable.

It is very difficult to secure communications against a persistent and well-armed attacker. As a practical matter, provably secure communications are not possible. However, that does not mean that we have to make it easy to eavesdrop.

As a mail administrator for many years, I have always told people that they must assume anything sent by ordinary Email will be read eventually by people other than the recipient and can always be published. As a matter of personal discipline I do not snoop on people's Email and anything I see accidentally is excised from memory. However, I know for a fact that other administrators are not so scrupulous. Despite my cautions, users send Email like it was postal mail and assume that it is secure.

I do not consider myself a security expert, but it has been an integral part of my work for decades. I designed and built a secure communications system used by hundreds of techs and senior executives at a Canadian Bank. It passed a nominally rigorous audit and was never breached. Mine is not really a layman's opinion.

In my opinion, the entire debate about secure communications is laughable. There are so many points of failure that no knowledgeable person could possibly trust current systems for anything important.

- I am suspicious of people who say that current key sizes are anywhere near adequate. They need to be measured in megabytes, not bits.

- I do not trust PKI as currently implemented. Key sizes are too small. The algorithms are suspect. The trust system is ridiculous with the least trustworthy entities bordering on criminal at the roots. Randomization is iffy and has already been subject to successful attacks. Key storage is clumsy, difficult and error prone.

- Government has been at this a long time. If people recall, they attempted to make it so that all encryption had a government accessible back door via the 'Clipper Chip'. They do not attempt this any more. That can only be either because they gave up or they were successful some other way. It is a stretch to think they gave up.

- We have a legal regime that makes all intermediaries untrustworthy. If information is stored in the clear at Google, Microsoft, Apple, IBM, Facebook, Twitter, the government has access. Any information that transits in the clear via a .com, .net .us or .org TLD is open to inspection, MIM attacks, etc by the government.

- Since the entire network is insecure against inspection of routing information and things like search engine queries, that information can be collected. If it is, it can be mined for statistics. Statistical techniques are much more effective than most people realize.

- People are much too trusting when it comes to this. We do not, in our daily life, expect to be literally dodging bullets or subject to deadly assault if we are not in a war zone. Giving your password to someone is like turning over your weapon to them. Fine if you are out hunting with your buddies, not so good if you are in armed combat. When it comes to electronic security, we are in a war zone.

- Side channel attacks are frighteningly advanced and effective.

- Rubber-hose cryptanalysis is both advanced and highly effective.

- Social engineering remains a devastating attack. Thus far it appears to even defeat the government.

I may be naive, but I am of the opinion that reasonable security is possible. One reason is that mandated key sizes are so small. The government has been persistent with this and that indicates to me that larger key sizes present a challenge to them. If modest kilobyte key sizes present a challenge to them, it means to me that they cannot break a well-formed megabyte key. Another reason is that no matter how powerful their systems, I find it doubtful that their systems are significantly larger than the aggregate size of the Internet. They would mandate that all traffic be encrypted if inspecting encrypted traffic presented no challenge to them. At some point, people will realize that all traffic must be encrypted. Another reason is that they have left the infrastructure security so weak. It is in their interest to make it easy for them to intercept communications and impossible for others to do so. It indicates to me that they cannot easily handle systems much more secure than we have now.

I am optimistic that reasonable security is possible, but I confess to some pessimism that it will happen. Not nearly enough of the technical community is properly conversant with the issues and as above, I do not exclude myself from that.

IMHO: Lavabit security was a joke

From his rebuttal: "When I was designing the Lavabit encrypted storage feature in 2004, it simply wasn’t possible for an attacker to intercept and decipher a large number of SSL connections in real time. This assumption was presumed true even if an attacker managed to gain access to the SSL private key. "

By 2000 hardware protection of your SSL private key was standard practice precisely because it was known you could attack historical traffic based on a compromised SSL key. The risk was made apparent with all the dot-bom web servers being sold on the 2nd hand market post bankruptcies with their hard drives intact.

He should have been using HSM based SSL "accelerators" and then he could have told the NSA to get stuffed because he didn't have access to his private key. By 2004 these were pretty inexpensive so he had no excuses.

Why didn't Snowden understand the vulnerability?

Popular secure email service is a misnoma

If you use a well known 'secure' email provider like Lavabit used to advertise its self as then you are right in the spotlight of NSA types - shouting I have something to hide and I store my email here!

How secure any system is is almost impossible to assess as an outsider, even with unknown private keys you couldn't know if there was an intentional weakness in the implementation, or if the provider was actually an NSA funded front.

You'd probably be better to run your own little system on some obscure hosting provider. Sure if you were targeted you could have a problem but if you use a popular provider you can be sure you will be targeted. Even if your email is secure you will be identifiable as someone with somthing to hide.

Learnt from experience?

Was this not the person who used to run a sort of Google proxy, and could therefore, if he so chose, access its users' whole search history in the same way he claims the Lavabit owner could, if he wanted, access its users' email?

As a smaller player, he would have certainly been more vulnerable than Google if hit with an order to rat on his customers, so is he perhaps talking from his own experience?

I'm pretty much just here to say that Moxie Marlinspike is a fucking fantastic name.

Also that complaining that email is insecure is like whining that your Ford Mondeo can't win the Dakar rally. No shit! It wasn't designed for that! You want to go rallying, you're going to have to stump up for the right ride; you want secure communication, you'd best start by engaging in it via a transport that nobody knows is communication in the first place. Stenography inserted in random people's social media pictures via botnets which the Russians you hired think you're using to spam people, say. Or you make a USB device that intercepts mouse movements and twitches the mouse in a pattern based on desired communications; you and yourcollaborator join the same TF2 server and record replays which you analyses to decode the messages hidden in the players' movements..

There must be a million ways to do it, and I'm an idiot when it comes to security. It's hard to believe that anyone who *really cares* would rely on the say-so of an email provider who says the new fenders he put on his Mondeo have made it suitable for tackling the dunes...

The network is the computer

We used to say that an attacker who gained physical access to your computer could gain access to its contents, no matter how well protected.

Well, these days the network is the computer (with apologies to Sun for nicking their prescient slogan). And governments and state actors have physical access. I'm sure many Reg readers have seen or heard of the special rooms in carrier hotels and other peering points.

Therefore, a guarantee of privacy is impossible. So, you have two possible paths forward: one "in the box" and one outside of it. In the box is an arms race where you slow down the attacker and they try and get faster. You use 2048-bit keys not 1024, you use AES and not DES (are you listening, Adobe?), etc. But always understanding that the other guy will succeed eventually. The out of the box solution is to make a legal/political/commercial framework that makes spying on citizens untenable. This of course requires your political class to play along, which is always a challenge. Money tends to help a lot: witness the squealing and wounded protestations of innocence from the major US tech companies when it became apparent that they might be tarred with the same brush as the NSA.