Lavabit’s security battle with NSA

Posted by on Oct 18, 2013

Image from http://lavabit.com/

Image from http://lavabit.com/

Lavabit, the secure email service provider, abruptly shut down its doors in August due to the Government’s request for data intrusion. Lavabit provided secured email service by encrypting the email messages and preventing anybody else from reading them, other than the sender and the receiver. The US government was after Lavabit to monitor the real time email usage of a single user. But when they found out that it is not possible to tap into the email of the user they were after, they asked Lavabit to hand over the SSL key, which would allow them to monitor every Lavabit user. The Lavabit email user the government wanted to monitor is believed to be Edward Snowden. “The government became embroiled with Lavabit in May, which is when Snowden disappeared from his job at Booz Allen Hamilton and the feds started looking for him”.

The District court for the eastern district of Virginia demanded Ladar Levison , the founder of Lavabit, to hand over the encryption keys. When he refused to comply with the court’s order, the court threatened him with a fine of $5000 per day. Ultimately Levison handed over the keys to the government but shuttered his 10-year old company to protect his customer’s information. He also filed an appeal against the court for forcing him to turn over the encryption keys. “The government would still be able to use Lavabit’s private keys to decrypt and access data that it had already intercepted (including customers’ usernames, passwords, and the contents of their emails),” the appeal details, “but Lavabit was forbidden from communicating this security breach to its customers or business partners.”

The government says it is entitled to get Lavabit’s private keys because of three reasons: Pen Resister Statute, Stored Communication Act and grand jury subpoena. Lavabit counteracts three of these arguments in its appeal.

  • Lavabit states that the Pen Register Statute only requires that a company can help government to install a “pen-trap” upon receiving a warrant from the court. It does not include handing over encryption keys, which interferes with the way Lavabit provides a secure service to its users. Also unlike telecom businesses, email businesses do not need to be wiretap enabled.
  • The Stored Communication Act allows the government to seize the contents of a particular communication. Lavabit argues that in this case private keys are not particular communication.
  • As per the industry standard Lavabit needs to keep its private keys private. Once it was revealed that the provider keys were shared with the government, Lavabit’s registrar, GoDaddy revoked its security certificate.

Lavabit is opening up temporarily to give its users a chance to recover their data. The data recovery service is expected to begin from October 18. Before the data becomes publicly available users can reset their passwords by logging on to https://liberty.lavabit.com. This move has become possible after Levison obtained a new SSL key to authenticate its server and encrypt the data travelling to and from the site. Lavabit has published its SSL certificate fingerprint and serial number on the password change page. The users are encouraged to verify the new SSL certificate before using the site.

You can take the following steps to verify the SSL certificate fingerprint and serial number in Chrome:

  • Go to https://liberty.lavabit.com/. It will take you to the “Change Password” page, where you can find the serial number and fingerprint of the new SSL certificate. Now click on the padlock icon on the left corner of the address bar. It will give you a dropdown window.
Screen shot 2013-10-17 at 2.49.08 PM

Screenshot by author

  • Click on the “Connection tab” in the drop down window. It will give you the option to verify the Certificate information.
Screen shot 2013-10-17 at 2.52.25 PM

Screenshot by author

  • Next click on the “Certificate information” and click “Details” and there you can check the serial number and fingerprint. Serial number is one of the first entries that you will see. To verify the fingerprint you have to scroll all the way down till “Fingerprints” entry and then match the Chrome fingerprint with the fingerprint on the “Change Password” page.
Screen shot 2013-10-17 at 3.01.45 PM

Screenshot by author

Fingerprint verification:

Screen shot 2013-10-17 at 3.04.22 PM

Screenshot by author

True Privacy with SpiderOak

After going through the story of Lavabit’s fight with NSA in order to secure it’s customer’s data, the question arises – how can businesses ensure that their customer data remains protected from NSA surveillance? It is possible with SpiderOak. SpiderOak does not have any key or plaintext data to handover to the government. At SpiderOak, sensitive user data is protected using 256-bit AES encryption so that files and password remain secured. SpiderOak encrypts the files in your computer before uploading them to the server. As a result you and only you have access to your unencrypted data. Even SpiderOak cannot read your data because the keys used for encryption only belongs to you. It is impossible for someone to gain control of your data by hacking into SpiderOak. SpiderOak’s encryption is comprehensive — even with physical access to the storage servers, SpiderOak staff cannot know even the names of your files and folders. On the server side, all that SpiderOak staff can see, are sequentially numbered containers of encrypted data. In this way, we are not capable of betraying our customers. The secret that keeps your data accessible to you alone is your SpiderOak password, which is never transmitted to SpiderOak in its original form. SpiderOak generates a key from your password using derivation/strengthening algorithm PBKDF2 (using sha256), with a minimum of 16384 rounds, and 32 bytes of random data (“salt”). This key is then used to encrypt/decrypt a series of strong encryption keys that are used to encrypt/decrypt your data. So, a user who knows her password can generate the outer level encryption key using PBKDF2 and the salt, then decipher the outer level keys, and be on the way to decrypting her data. Without knowledge of the password, however, the data is unreadable. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected.form.

SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products like SpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. SpiderOak Blue provides enterprises with a fully private cloud service featuring all of the benefits of cloud storage along with 100% data privacy. And for the average web user, SpiderOak offers the same protections with lower costs and smaller storage space. You can sign up for this product now.


Leave a Reply