undefined | Better HN

0 pointsFloegipoky6y ago0 comments

Just like lavabit: https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_ord...

0 comments

Lavabit was a service that effectively held keys for its users and was compelled to disclose them. If we were discussing whether a vulnerable service was somehow compelled by the USG, I wouldn't argue. I doubt you'd even need an NSL compromise Lavabit; you might even be able to do it with routine civil litigation. Don't ever use things like Lavabit. That's why we talk about "end to end encryption", as opposed to the bad kind of encryption.

maqp6y ago

Lavabit also sent the private keys from their servers to clients using TLS that utilized RSA for key exchange. Levison was to put it into a word, a fool, for letting that happen. Once he had to submit the private RSA-key for the certificate, FBI could decrypt every past session, and every private key of every user. IMO he'd have to put a hell of a lot of effort if I'm ever going to look at his creations again.

tptacek6y ago

It was a deeply irresponsible service for Levison to be selling to people.

j / k navigate · click thread line to collapse

0 comments

tptacek6y ago

maqp6y ago

tptacek6y ago

It was a deeply irresponsible service for Levison to be selling to people.

j / k navigate · click thread line to collapse