Moxie was correct ...
Exec Summary -- Moxie was right, major players are untrustworthy, practical solutions require legislation, current security is ridiculous, good security is likely possible but not likely to happen, all of us have to skill *way up* on security.
Moxie was correct in both tone and substance. The Lavabit system was fundamentally insecure. In Levison's defense, I do not think he was either malicious or stupid. Security is like an onion with unlimited layers. There is always another weakness. Moxie could have been gratuitously unkind in his criticism, but limited himself to pointing out the one glaring weakness. Levison admits to the weakness, but obscures the admission with a lot of talk about other aspects of the system. We are only concerned ultimately with a chain breaking. If the weakest link is not strong enough to hold, the chain breaks and is no longer useful.
All of the big players have to know that reasonable security is possible. Unfortunately, it is not in their interest to destroy valuable information about people.
We know that a true one time pad is secure. In essence, all security is aimed at faking one-time pads. As we wander away from a pure design, security diminishes.
In the Lavabit case, if the data was encrypted on a one-time pad before being sent to the server there is no way the mail could be read. This would still leave the matter of traffic logs, but that is a network issue that Lavabit could not solve on their own anyway.
We need to have secure end to end communications. It is possible, but a lot more technical people have to skill up and understand the issues. I don't exclude myself from that, BTW.
The most potent immediate cure is to make it illegal to eavesdrop on private communications, illegal to possess ill-gotten information and make any ill-gotten evidence inadmissible for any purpose. This is not perfect, but would greatly raise the cost and diminish the value of eavesdropping.
Technically, we can secure end-to-end communications and intermediate storage by encrypting on 'effective one time pads' -- simulated one-time pads created with very large keys. To secure identity, we would need a secure push/pull 'store and forward' system whereby all traffic is posted anonymously by one party and retrieved anonymously by another. The details of such a system get complicated, but it is doable.
It is very difficult to secure communications against a persistent and well-armed attacker. As a practical matter, provably secure communications are not possible. However, that does not mean that we have to make it easy to eavesdrop.
As a mail administrator for many years, I have always told people that they must assume anything sent by ordinary Email will be read eventually by people other than the recipient and can always be published. As a matter of personal discipline I do not snoop on people's Email and anything I see accidentally is excised from memory. However, I know for a fact that other administrators are not so scrupulous. Despite my cautions, users send Email like it was postal mail and assume that it is secure.
I do not consider myself a security expert, but it has been an integral part of my work for decades. I designed and built a secure communications system used by hundreds of techs and senior executives at a Canadian Bank. It passed a nominally rigorous audit and was never breached. Mine is not really a layman's opinion.
In my opinion, the entire debate about secure communications is laughable. There are so many points of failure that no knowledgeable person could possibly trust current systems for anything important.
- I am suspicious of people who say that current key sizes are anywhere near adequate. They need to be measured in megabytes, not bits.
- I do not trust PKI as currently implemented. Key sizes are too small. The algorithms are suspect. The trust system is ridiculous with the least trustworthy entities bordering on criminal at the roots. Randomization is iffy and has already been subject to successful attacks. Key storage is clumsy, difficult and error prone.
- Government has been at this a long time. If people recall, they attempted to make it so that all encryption had a government accessible back door via the 'Clipper Chip'. They do not attempt this any more. That can only be either because they gave up or they were successful some other way. It is a stretch to think they gave up.
- We have a legal regime that makes all intermediaries untrustworthy. If information is stored in the clear at Google, Microsoft, Apple, IBM, Facebook, Twitter, the government has access. Any information that transits in the clear via a .com, .net .us or .org TLD is open to inspection, MIM attacks, etc by the government.
- Since the entire network is insecure against inspection of routing information and things like search engine queries, that information can be collected. If it is, it can be mined for statistics. Statistical techniques are much more effective than most people realize.
- People are much too trusting when it comes to this. We do not, in our daily life, expect to be literally dodging bullets or subject to deadly assault if we are not in a war zone. Giving your password to someone is like turning over your weapon to them. Fine if you are out hunting with your buddies, not so good if you are in armed combat. When it comes to electronic security, we are in a war zone.
- Side channel attacks are frighteningly advanced and effective.
- Rubber-hose cryptanalysis is both advanced and highly effective.
- Social engineering remains a devastating attack. Thus far it appears to even defeat the government.
I may be naive, but I am of the opinion that reasonable security is possible. One reason is that mandated key sizes are so small. The government has been persistent with this and that indicates to me that larger key sizes present a challenge to them. If modest kilobyte key sizes present a challenge to them, it means to me that they cannot break a well-formed megabyte key. Another reason is that no matter how powerful their systems, I find it doubtful that their systems are significantly larger than the aggregate size of the Internet. They would mandate that all traffic be encrypted if inspecting encrypted traffic presented no challenge to them. At some point, people will realize that all traffic must be encrypted. Another reason is that they have left the infrastructure security so weak. It is in their interest to make it easy for them to intercept communications and impossible for others to do so. It indicates to me that they cannot easily handle systems much more secure than we have now.
I am optimistic that reasonable security is possible, but I confess to some pessimism that it will happen. Not nearly enough of the technical community is properly conversant with the issues and as above, I do not exclude myself from that.