Snowden's favoured secure email provider Lavabit reboots

By on
Snowden's favoured secure email provider Lavabit reboots

Built on new end-to-end encryption standard.

Lavabit, the secure email service favoured by former US National Security Agency contractor Edward Snowden, will relaunch with better protection against interception, according to the company.

In a note published on the Lavabit website, its founder Ladar Levison said email is "the heart of our cyber-identities" and relaunching the secure email service would protect US Constitution-guaranteed values of freedom, justice and liberty.

Under pressure from United States authorities to allow silent interception of user communications, Levison decided to close down Lavabit in 2013 rather than hand over digital decryption keys under a search warrant.

Levison said the new version of Lavabit would be built around the Dark Internet Mail Environment (DIME) end-to-end encryption standard that he developed thanks to Kickstarter crowdfunding.

DIME provides automated and federated encryption capabilities and is designed to work with different service providers, Levison said.

The new standard seeks to improve the secure - but difficult to use and incomplete - email encryption offered by existing solutions such as OpenPGP and S/MIME, which do not automatically scramble messages and their metadata.

DIME offers three encryption modes: trustful, cautious, and paranoid.

In the first mode, users are required to trust the mail server to manage encryption. Users' encryption keys are only stored in the server's memory when they are logged in.

Lavabit believes trustful mode will suit business users with regulatory requirements and data retention practices.

Added security can be achieved with the cautious and paranoid modes. The former is aimed at users who don't trust their email providers, and the latter gives users full control over their encryption keys. Levison said paranoid mode is "ultra-secure, however, requires technical proficiency in user key management".

According to Levison, Lavabit has installed hardware security modules (HSM) meeting the US Federal Information Processing Standard 140-2, which lets the service use digital keys without accessing them directly.

To prevent the key being extracted from HSM, Lavabit sets the passphrase for the system supervisor account blindly, which locks out the service provider's staffers.

There is no other way to extract the encryption key, Levison claimed, referring to the 2013 warrant that required Lavabit to hand over digital credentials to US authorities.

"Any attempt to extract the key will trigger a tamper circuit causing the key to self-destruct," Levison said.

Existing Lavabit customers will be able to access their accounts in the DIME Trustful mode, and update their credentials to the new standard.

While Levison also released the open souce Magma mail server for DIME, graphical messaging clients for operating systems such as macOS, Windows, Linux and Android still need to be developed. 

It is possible to use existing mail clients such as Mozilla Thunderbird and Microsoft Outlook, Outlook Express and Windows Live Mail with DIME's Trustful mode.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?