Lavabit security was a facade says crypto expert

Lavabit security was a facade says crypto expert

Summary: Moxie Marlinspike, a respected cryptographic software expert, argues that Lavabit, Edward Snowden’s favorite "secure" email service whose owner shut it down rather than give the NSA the keys to his store, wasn't really secure anyway.


When the Feds first got on to Edward Snowden they went after his e-mail account. Had the account been at Google or Microsoft, they probably would have had access in short order, but Snowden was using Lavabit, an email service that billed itself as highly secure. The company's claims now seem to have been greatly exaggerated.

The Feds demanded Snowden's emails from Ladar Levison, Owner, Operator and developer of Lavabit. Levison told them that the design of his system was such that he couldn't comply. The Feds then asked for the private SSL keys for; Levison refused and (to make a long story short) shuttered the service rather than comply.

Moxie Marlinspike

Moxie Marlinspike is well-known in the world of computer security and of cryptography in particular. He is the designer and author of cryptographic software and an advocate for its use to protect privacy, but is better-known for critiques of security institutions like the certificate authorities.

Marlinspike has published on his personal blog a critique of Lavabit's architecture, and he makes the case that the site overstated the security of their email.

One of Lavabit's main claims was that email on it was so secure that even they (the Lavabit admins) couldn't read it. But in fact, as Levison described in a blog entry describing the Lavabit architecture, as part of the encryption and decryption process the server had to possess and use a plaintext password supplied by the user. In fact, Lavabit was merely saying that they would not look at or retain that password; as Marlinspike puts it, Lavabit would "avert their eyes". In fact, it was even worse than that:

The ciphertext, key, and password are all stored on the server using a mechanism that is solely within the server’s control and which the client has no ability to verify. There is no way to ever prove or disprove whether any encryption was ever happening at all, and whether it was or not makes little difference.


The system relied on SSL for security in transit between the user and server, but once at the server the email and password were in the clear. To quote Marlinspike again, "The cryptography was nothing more than a lot of overhead and some shorthand for a promise not to peek. Even though they advertised that they 'can't' read your email, what they meant was that they would choose not to."

 Marlinspike also provides some reasonable speculation as to why the Feds wanted Lavabit's SSL keys: The NSA had probably already collected the encrypted traffic from the site and needed the keys to decrypt it after the fact. If this is true, then they would still be interested in the keys even if the site were shut down. I haven't heard that Levison surrendered the keys (except once as an unreadable printout in a tiny font), so something there still doesn't add up.

Marlinspike nevertheless supports Levison and calls on us to support him in his legal defense. (If you're actually interested in helping more than rhetorically, Levison has set up a legal defense fund to which you may contribute.)

Marlinspike also makes some constructive suggestions for secure email projects underway which promise better results than Lavabit's: Mailpile and the Leap Encrypted Access Project.

Topics: Security, Government US, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It's a Trust issue

    As developers, there is a hard choice to make when implementing encryption. The choice, in my humble opinion, is guided by the target audience. If the app is perceived as difficult to use (installing software, generating public/private keys, getting others to install the same software and generate key pairs, etc.), then widespread adoption of the app is unlikely. I am speaking from experience. I built ThreadThat in 2009, a secure messaging app, following the same concept (even though I knew nothing of Lavabit at the time). My target audience is the general public and small business professional - people that are not necessarily technical and have a very low cost threshold (free is best).

    Many may not agree, but I believe that users with less technical knowledge are quicker to "trust" what is promised by the application owner(s). Those with high technical knowledge will analyze what is not being said and decide whether they are willing to accept the risk or look elsewhere for less risky alternatives. In the case of Lavabit (and ThreadThat), users must have a high "trust" level. Users must trust that the application code is doing only what is promised by the site owner. Ladar Levison must have done a good job of getting users to trust Lavabit as a solution. Trust feeds on trust. The more people you get to trust a solution, the easier it is to get people to trust it. Just getting a mention on a site like ZDNet is often enough to encourage trust.

    The bottom line is that users would not have been able to determine if the Lavabit software was saving off the decrypted email content somewhere and feeding it to some 3-letter government organization. Success of this weaker encryption application model relies on a high level of user trust and application reputation.

    Matt S.
    Developer/Owner ThreadThat
  • Who Should We Believe, And Why?

    Given that no one (other than the No Such Agency) has broken the DCMA Law, itself a federal crime, and worked to decrypt the Lavabit service, how do we really know?

    And . . . we should believe someone using the name "Moxie Marlinspike", why?
  • Facts are Facts

    As it stands the following is true
    1. The NSA has been reading everything at Yahoo, Hotmail and Google as the data replicates between servers. If that is not enough, they can also catch any plain-text emails flying around. If that still is not enough, they can get a court order and Yahoo, Hotmail and Google will then hand over everything in your account to the NSA. We know for a fact if Snowden had used any of the major services out there, the NSA would have acess to everything he ever did with his account.
    2. That Lavabit was shut down over the NSA wanting access to Snowdens account. Which means the NSA did not have it and Snowdens information is still secure.

    Despite the fact there are problems with LavaBits security. It is vastly more secure than the alternatives have proved to be. At least this is true up to August 2013.

    About the best you can do is use pgp, to encrypt your mail, at that point metadata is still a problem and you have to rely on subject lines and folders for finding messages because you can't search encrypted email. Or you can use POP, download all your email, unencrypt the email message, but keep it on an encrypted drive.
  • Don't know who Moxie Marlinspike is

    But I made precisely the same comment on one of your previous Lavabit articles. Their "security" is no different than that of the ordinary ISP who went to the "trouble" of enabling SSL on their IMAP servers.
  • I don't know the datails

    or the "mechanics" of lavabit, it's interesting that Moxie's own recommendations offer no details, moreover those don't include the proven and easier ways of secure email. That's OpenPGP, better GNU PG (since it's source code is available). Get yourself a nice key pair (the types and strengths vary), make the private one secret to the world, exchange the public with your friends (and enemies if you wish). This of course could be intercepted in theory and forged, yet .... Ask you friends do the same. Use IMAP or POP with a nice gpg conscious email client (I use mutt and GNUS). You can use it for authenticity as well. Let it stay decrypted only locally, don't allow the server to have the decrypted copy. Try not encrypting big files though, since in theory, it could be more insecure than small files.
    You got yourself a pretty secure email.
    • s/datails/details/

      why would the subject field be non-spellcheckable? Make it so!
    • slight correction

      Of course, PGP source code is available. Don't know if it is legal to import in the US though :)
      • no, I was

        referring to the GNU Privacy Guard system. This one is available regardless of the country. There are a number of other vendors compatible with Open PGP as well though, I would not recommend proprietary ones though.