Lavabit, the secure email provider that suspended operations in 2013 after the U.S. government asked for its users’ SSL keys, relaunched Friday under a new architecture.
Ladar Levison, the service’s owner and operator, announced Lavabit’s return on Inauguration Day, acknowledging that values such as “freedom, justice, and liberty” often associated with the ceremony are critical to the service.
“Much has changed since my decision, but unfortunately much has not in our post-Snowden world,” Levison wrote, “Email continues to be the heart of our cyber-identities, but as evidenced by recent jaw-dropping headlines, it remains insecure, unreliable, and easily readable by an attacker.”
The saga surrounding Lavabit has been a long and arduous one. The decision Levison refers to is his choice in 2013 not to hand over SSL keys that would unlock traffic coming in and out of his company’s network. At the time, the service counted more than 400,000 individuals as users, including NSA whistleblower Edward Snowden. The FBI allegedly wanted the passwords, encryption keys and computer code so it could monitor all of Lavabit’s users, not just Snowden. Levison refused and even filed an appeal of the court order asking him to provide the keys. In August of that year Levison finally obliged, giving up the keys while simultaneously shuttering the service.
The latest iteration of the service, Levison said Friday, is based on a free and open source mail server he developed in 2014 called Magma. Levison used the $212,000 he received from backers on Kickstarter to write source code for the “magma” server daemon, which encrypts user data before it’s stored on disk. Code for the software was released on GitHub Friday.
Magma feeds into the Dark Internet Mail Environment (DIME) – an end-to-end encryption standard Levison also released to the public on Friday.
The messaging protocol – something Levison once billed as having “the security of PGP without the cognitive burden” – has been in the works awhile. Levison teamed up with Silent Circle in October 2013 to form the Dark Mail Alliance, in hopes of developing the open, end-to-end encrypted protocol for private email.
Levison hinted the service was close to being ready earlier last week when he tweeted that he was fixing bugs and ironing out some API coding issues with the service’s payment processor.
If god can build this world in 7 days… I should be able to build a secure email service, right? Only 10 bugs left to squash. #Lavabit
— Ladar Levison (@kingladar) January 14, 2017
#Lavabit Payment processor is lagging with API code… swapping em out, speed coding style, should be under an hour.
— Ladar Levison (@kingladar) January 20, 2017
#Lavabit The website is live, but it will take another day or so to finish deploying magma, and get the latest code into Github.
— Ladar Levison (@kingladar) January 20, 2017
Currently, only former Lavabit users can access their accounts and update their credentials to the new standard, provided they do so in “Trustful Mode.” According to Levison, the DIME platform operates in three account modes, Trustful, Cautious, and Paranoid; each level determines where message encryption occurs, and where a user’s private key is stored.
Levison said Friday that the way Lavabit used to operate, with a single SSL key that allowed clients to connect to their server, was essentially its undoing. The new iteration of the service, at least in Trustful mode, stores the SSL key on a secure hardware device. “Any attempt to extract the key will trigger a tamper circuit causing the key to self-destruct,” Levison wrote of the way Lavabit now handles SSL key management.
While the service is only open for existing users, prospective users can pre-register for an account for Lavabit’s next release with a credit card or Bitcoin,
Services that offer encrypted email, especially in the wake of the election of President Donald Trump – who’s made statements about wanting to expand government surveillance – have seen a surge in popularity over the last few months.
One service, ProtonMail, announced last week that it was releasing a .onion hidden service for users who want to access their email via Tor. The service, which can only be accessed via a Tor browser, is designed to thwart attackers from carrying out a man-in-the-middle attack while users are viewing their email.