DIR Return Create A Forum - Home
---------------------------------------------------------
Road2HardCoreIron
HTML https://road2hardcoreiron.createaforum.com
---------------------------------------------------------
*****************************************************
DIR Return to: News
*****************************************************
#Post#: 6717--------------------------------------------------
Lavabit. NOT SECURED. PLEASE READ HACKED
By: Road2HardCoreIron Date: January 9, 2026, 1:47 pm
---------------------------------------------------------
Former Lavabit users will be able to access their accounts in
Trustful mode
Looks like Trustful mode is how the old lavabit operated.
> If you're going to operate in "trustful" mode, lavabit isny
offering any real security wins over any other mail host.
This level of security apparently was enough to protect email
contents against FBI.
The reason this "insecure" mode is kept is to allow users to
continue using their old accounts and restore mailbox contents:
HTML https://lavabit.com/have-lavabit.html
ycmbntrthrwaway on Jan 20, 2017 | next []
It may also be a very bad idea if Lavabit is compromised now.
Don't try to connect to your old account if you had any
sensitive emails.
ssl232 on Jan 20, 2017 | prev | next []
Oh I didn't know that the contents of old accounts were now
accessible again. Was that not deleted by Lavabit when they got
subpoenaed?
ycmbntrthrwaway on Jan 20, 2017 | parent | next []
I think Ladar deleted TLS key, not the database.
Well,
HTML https://lavabit.com/have-lavabit.html
says: "With the help
of these tutorials, you should be accessing your old Lavabit
e-mail and sending new secure messages in just a few minutes."
Maybe e-mail here means account, not messages.
I have some free accounts to test, but looks like
imap.lavabit.com and smtp.lavabit.com don't have SMTP/IMAP/POP3
ports open.
Update:
HTML https://twitter.com/kingladar/status/822570163547541504<br
/>Database is not deployed yet.
pvg on Jan 20, 2017 | prev []
How did it protect email contents from the FBI? They got
warrants and got the emails.
ycmbntrthrwaway on Jan 20, 2017 | parent []
Well, if you have not logged in since they started recording
traffic and until shutdown, chances are your password is not
compromised and emails are still encrypted. But no way to be
sure.
pvg on Jan 21, 2017 | root | parent []
Before the thing with Snowden and the cert, Lavabit simply
complied with warrants, which they could since they could read
everyone's email. Fundamentally, Lavabit was not in any way
different than Gmail.
ycmbntrthrwaway on Jan 21, 2017 | root | parent []
Any source for this? Reading everyone's emails requires them
backdooring their server so that it saves plaintext password or
symmetric key on login. Were they doing this?
pvg on Jan 21, 2017 | root | parent []
'backdooring their server to themselves' is not 'backdooring'
it's just misdesigning. The alternative is believing Lavabit
always scrupulously 'looked away'.
HTML https://moxie.org/blog/lavabit-critique/
ycmbntrthrwaway on Jan 21, 2017 | root | parent []
We already know that Lavabit design was bad and that is why
everyone is moving to E2E.
Still I found no evidence that Lavabit handed over anything but
encrypted data and access logs. The only thing I found is [1]:
"He says he's received "two dozen" requests over the last ten
years, and in cases where he had information, he would turn over
what he had. Sometimes he had nothing; messages deleted from his
service are deleted permanently."
He has complied with warrants because he had nothing to
transfer. Nothing was stored and there is no legal obligation to
modify your service to store passwords. When he was asked for
TLS keys, he had to shutdown the service to prevent leaking all
the passwords and redesigned the server.
The difference between not looking away and Lavabit design is
that nothing is exposed if the server is seized.
The design of old Lavabit was not sufficiently secure and there
was no way to check if it is more secure from the users'
perspective, but still no reason to call it snake oil [2]. Snake
oil is a product that is advertised as secure when maker knows
it is insecure. Lavabit design was correctly described on its
website and source code was promptly published after the
shutdown so it is possible to verify that described features
existed.
[1]
HTML http://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-...
[2]
HTML https://news.ycombinator.com/item?id=13447919
pvg on Jan 21, 2017 | root | parent []
Still I found no evidence that Lavabit handed over anything but
encrypted data and access logs
There isn't any evidence of that or the contrary. He had all the
data. We don't know what he did or did not turn over.
Snake oil is a product that is advertised as secure when maker
knows it is insecure.
Take another look at this (and Moxie Marlinspike is being
generous and sympathetic). It meets your own criteria precisely.
HTML https://moxie.org/blog/lavabit-critique/
*****************************************************