Category Archives: Encryption

Lavaboom builds encrypted webmail service to resist snooping

Posted on by

A new webmail service called Lavaboom promises to provide easy-to-use email encryption without ever learning its users private encryption keys or message contents.

Lavaboom, based in Germany and founded by Felix Mller-Irion, is named after Lavabit, the now defunct encrypted email provider believed to have been used by former NSA contractor Edward Snowden. Lavabit decided to shut down its operations in August in response to a U.S. government request for its SSL private key that would have allowed the government to decrypt all user emails.

Lavaboom designed its system for end-to-end encryption, meaning that only users will be in possession of the secret keys needed to decrypt the messages they receive from others. The service will only act as a carrier for already encrypted emails.

Lavaboom calls this feature zero-knowledge privacy and implemented it in a way that allows emails to be encrypted and decrypted locally using JavaScript code inside users browsers instead of its own servers.

The goal of this implementation is to protect against upstream interception of email traffic as it travels over the Internet and to prevent Lavaboom to produce plaintext emails or encryption keys if the government requests them. While this would protect against some passive data collection efforts by intelligence agencies like the NSA, it probably wont protect against other attack techniques and exploits that such agencies have at their disposal to obtain data from computers and browsers after it was decrypted.

Security researchers have yet to weigh in on the strength of Lavabooms implementation. The service said on its website that it considers making parts of the code open source and that it has a small budget for security audits if any researchers are interested.

Those interested in trying out the service can request to be included in its beta testing period, scheduled to start in about two weeks.

Free Lavaboom accounts will come with 250MB of storage space and will use two-way authentication based on the public-private keypair and a password. A premium subscription will cost 8 (around US$11) per month and will provide users with 1GB of storage space and a three-factor authentication option.

In addition to your key-pair and password we can either send you a randomly generated code or you can use the OTP-feature of a YubiKey. Or even both. We strongly recommend using YubiKey, Lavaboom said on its website.

The service uses the popular OpenPGP email encryption standard thats based on public-key cryptography. Each user will have a public and a private key that will form a keypair. The public key will be advertised publicly and will be used by other users to encrypt messages sent to the key owner and the key owner will then use his private key to decrypt those messages.

Read the rest here:
Lavaboom builds encrypted webmail service to resist snooping

Snowden’s Email Provider Loses Appeal Over Encryption Keys

Posted on by

Lavabit founder Ladar Levison. Image: Gage Skidmore/Flickr

A federal appeals court has upheld a contempt citation against the founder of the defunct secure e-mail company Lavabit, finding that the weighty internet privacy issues he raised on appeal should have been brought up earlier in the legal process.

The decision disposes of a closely watched privacy case on a technicality, without ruling one way or the other on the substantial issue: whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.

The case began in June, when Texas-based Lavabit was served with a pen register order requiring it to give the government a live feed of the email activity on a particular account. The feed would include metadata like the from and to lines on every message, and the IP addresses used to access the mailbox.

Because pen register orders provide only metadata, they can be obtained without probable cause that the target has committed a crime. But in this case the court filings suggest strongly that the target was indicted NSA leaker Edward Snowden, Lavabits most famous user.

Levison resisted the order on the grounds that he couldnt comply without reprogramming the elaborate encryption system hed built to protect his users privacy. He eventually relented and offered to gather up the email metadata and transmit it to the government after 60 days. Later he offered to engineer a faster solution. But by then, weeks had passed, and the FBI was determined to get what it wanted directly and in real time.

So in July the government served Levison with a search warrant striking at the Achilles heel of his system: the private SSL key that would allow the FBI to decrypt traffic to and from the site, and collect Snowdens metadata directly. The government promised it wouldnt use the key to spy on Lavabits other 400,000 users, which the key would technically enable them to do.

Levison turned over the keys as a nearly illegible computer printout in 4-point type. In early August, Hilton who once served on the top-secret FISA court ordered Levison to provide the keys instead in the industry-standard electronic format, and began fining him $5,000 a day for noncompliance.

After two days, Levison complied, but then immediately shuttered Lavabit altogether.

Levison appealed the contempt order to the 4th Circuit, and civil rights groups, including the ACLU and the EFF, filed briefs in support of his position.

Read the original here:
Snowden’s Email Provider Loses Appeal Over Encryption Keys

How Encryption Stuff Works – HowStuffWorks "Learn How …

Posted on by

When we use the Internet, we're not always just clicking around and passively taking in information, such as reading news articles or blog posts -- a great deal of our time online involves sending others our own information. Ordering something over the Internet, whether it's a book, a CD or anything else from an online vendor, or signing up for an online account, requires entering in a good deal of sensitive personal information. A typical transaction might include not only our names, e-mail addresses and physical address and phone number, but also passwords and personal identification numbers (PINs).

The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live and work. It's extremely easy to buy and sell goods all over the world while sitting in front of a laptop. But security is a major concern on the Internet, especially when you're using it to send sensitive information between parties.

Let's face it, there's a whole lot of information that we don't want other people to see, such as:

Information security is provided on computers and over the Internet by a variety of methods. A simple but straightforward security method is to only keep sensitive information on removable storage media like portable flash memory drives or external hard drives. But the most popular forms of security all rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it.

In this article, you will learn about encryption and authentication. You will also learn about public-key and symmetric-key systems, as well as hash algorithms.

Read more:
How Encryption Stuff Works - HowStuffWorks "Learn How ...