[Lista Criptica] Vuelve Lavabit!

Delete this message

Reply to this message
Author: doppel
Date:  
To: Criptica - Lista de socios temporal
Subject: [Lista Criptica] Vuelve Lavabit!
Hola,

supongo que muchos de vosotros seguisteis de cerca el "caso Lavabit" en
su momento, allá por el año 2013 [1]: Lavabit fue un proveedor de correo
que se negó a colaborar con el FBI después de que la agencia descubriera
que Edward Snowden tenía una cuenta abierta allí, desde la cual se
estaba intentando comunicar con diferentes periodistas y abogados
(durante su "estancia forzada" en la terminal del aeropuerto
Sheremetyevo de Moscú). Como resultado (resumiendo mucho), Lavabit se
vio obligada a cerrar. No obstante, el rechazo de Ladar Levison a
colaborar con el gobierno estadounidense (bajo pena de verse obligado a
tener que suspender el servicio) fue considerado como un verdadero
ejemplo para la comunidad hacker.

Os escribo para daros una buena noticia: Parece que Lavabit ha vuelto
[2], con una arquitectura que hará imposible para el proveedor poder
entregar las claves SSL (como les pidió el FBI en 2013) [3].

"Today, we start a new freedom journey and inaugurate the
next-generation of email privacy and security. In 2014, with Kickstarter
funding, I started the development of the Dark Internet Mail Environment
(DIME), a revolutionary end-to-end encrypted global standard and Magma,
its associated DIME capable free and open source mail server. Today, I
am proud to announce that we are releasing DIME and Magma to the world.
DIME provides multiple modes of security (Trustful, Cautious, &
Paranoid) and is radically different from any other encrypted platform,
solving security problems others neglect. DIME is the only automated,
federated, encryption standard designed to work with different service
providers while minimizing the leakage of metadata without a centralized
authority. DIME is end-to-end secure, yet flexible enough to allow users
to continue using their email without a Ph.D. in cryptology."

The Intercept, el medio impulsado por Greenwald, Poitras y Scahill,
también se ha hecho eco de la noticia [4].

[1]: https://en.wikipedia.org/wiki/Lavabit
[2]: https://lavabit.com/

[3]: Lavabit’s shutdown & SSL key management: What’s different?

"SSL is a security reality. SSL ensures privacy for the communication
between clients/customers and servers/providers in online banking,
shopping, and logins across the internet. It is secure only if the key
is kept secure. In 2013 the US government requested our SSL key, which
allowed clients to connect with our the original (pre-DIME) Lavabit
server. Lavabit chose to shut down rather than allowing access to this
tunnel which would have compromised username and password logins.

With DIME, Lavabit now has (3) new operational modes to secure all
customers: Cautious, Trustful and Paranoid. For the Cautious and
Paranoid modes, all communication is encrypted on the user's device
making TLS less relevant. Even with end-to-end encryption, TLS ensures a
client is connected to the provider's server and provides perfect
forward security for network traffic. In Trustful mode, we have moved
from the SSL key typically stored on the server to a secure hardware
device. The former is an extremely common setting for many SSL enabled
sites throughout the internet. We have installed FIPS 140-2 hardware
security modules which allows us to use a TLS key without having to
access it directly. Any attempt to extract the key will trigger a tamper
circuit causing the key to self-destruct. The only account capable of
extracting the key is the HSM supervisor. To prevent this we set the
passphrase blindly thus locking us out. We suggest anyone not
comfortable with trusting the provider to utilize the Cautious or
Paranoid modes. "

[4]:
https://theintercept.com/2017/01/20/encrypted-email-service-once-used-by-edward-snowden-to-relaunch/