dslreports logo
site
spacer

spacer
 
   
spc
story category
Lavabit, Silent Circle Creating More Secure E-mail Protocol
by Karl Bode 09:41AM Thursday Oct 31 2013 Tipped by justin See Profile
We've discussed how both Lavabit and Silent Circle closed down their secure e-mail services, claiming that government pressure to hand over encryption keys for all users made operating those service untenable. Both companies were recently joined by Cryptoseal, who shuttered their VPN service after claiming government demands to hand over encryption keys were both unreasonable and unconstitutional.

Click for full size
Now Silent Circle and Lavabit have joined forces to announce what they're calling the "Dark Mail Alliance," a non-profit organization tasked with maintaining the open-source code for a new, more secure e-mail protocol. The two companies hope to include numerous companies moving forward, and are planning a Kickstarter for funding.

While they've yet to release harder technical detail, the two companies state that this new protocol will be based on the Extensible Messaging and Presence Protocol (XMPP), with SMTP being eliminating from the equation.

"We like to laugh at it, but there are reasons why it was a good system," Silent Circle CTO Jon Callas told attendees of the Inbox Love conference on Wednesday. "We're replacing the transport with a new transport. E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends."

The new protocol should arrive sometime in the middle of 2014, and will be released in such a form that it can be added to existing e-mail services, including Gmail. Technology like perfect forward secrecy and end-to-end encryption should be implemented in the service in a way that's largely unnoticeable to regular users and "easy enough that Grandma can use it."

"We believe email is fundamentally broken in its current architecture," Silent Circle CEO Mike Janke, a former Navy SEAL told attendees. "This is an opportunity to create a new email service where the keys are created on the device and only the user can decrypt it."

view:
topics flat nest 

MxxCon

join:1999-11-19
Brooklyn, NY

Replacing SNMP?

I don't know technicalities of what they are planning to do, but that seems like a gigantic task. I don't know if these 2 companies are large and competent enough to be able to pull it off. And I'm sure many existing SMTP vendors will fight this.
Then again, maybe the current atmosphere is sufficiently bad that they can do it and get enough traction with everybody else.
--
[Sig removed by Administrator: signature can not exceed 20GB]

jseymour

join:2009-12-11
Waterford, MI

Re: Replacing SNMP?

ITYM "SMTP"

MxxCon

join:1999-11-19
Brooklyn, NY

Re: Replacing SNMP?

said by jseymour:

ITYM "SMTP"

Yes, also get these 2 mixed up
--
[Sig removed by Administrator: signature can not exceed 20GB]
MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
A bit about Jon Callas »www.entrust.com/news/former-appl ··· officer/

He, and others in the team, have the requisite competency to do this. Don't forget that there will be lots of opportunity for other qualified people to weigh-in on the proposal.

jseymour

join:2009-12-11
Waterford, MI

1 recommendation

Completely Unnecessary

Millions and millions of devices all over the planet know how to "talk" SMTP, POP3, IMAP and their secure counterparts. It's not necessary to throw those protocols out to achieve more secure email.

Use the SSL/TLS/STARTTLS versions of the above protocols and there's your end-to-end security. Add encrypted mail stores. Last step: Change some of the email RFC's to tighten-up client/server relationships. There are actually things in the SMTP RFCs, for example, that prohibit rejecting email due to squirrely client identification.

Tightening-up the SMTP RFC spec would have the happy side-effect of making it easier, much easier, to battle spam, scam and virus/worm/trojan email.

Jim

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA

Re: Completely Unnecessary

It is such a shame that they just don't know anything about the systems they are developing, they should listen to you. /s
--
Teabaggers: Destroying America is Priority #1

workablob

join:2004-06-09
Houston, TX
kudos:4
Reviews:
·Comcast

Re: Completely Unnecessary

said by fuziwuzi:

It is such a shame that they just don't know anything about the systems they are developing, they should listen to you. /s

I get your point but think about it this way.

These companies have lost a revenue stream.

It is plausible to me that this is an attempt to recover that lost revenue.

Demand Creation?

Blob
--
Don't try to follow me, I have a cab waiting. EEEEEEEEradicator!

jseymour

join:2009-12-11
Waterford, MI

Re: Completely Unnecessary

said by workablob:

said by fuziwuzi:

It is such a shame that they just don't know anything about the systems they are developing, they should listen to you. /s

I get your point ...

Which is really a non-point, because he has absolutely no clue whatsoever as to what my experience and knowledge are.

said by workablob:

...but think about it this way.

These companies have lost a revenue stream.

It is plausible to me that this is an attempt to recover that lost revenue.

It's more than just "plausible," in my view.

Jim

workablob

join:2004-06-09
Houston, TX
kudos:4
Reviews:
·Comcast

Re: Completely Unnecessary

said by jseymour:

said by workablob:

said by fuziwuzi:

It is such a shame that they just don't know anything about the systems they are developing, they should listen to you. /s

I get your point ...

Which is really a non-point, because he has absolutely no clue whatsoever as to what my experience and knowledge are.

said by workablob:

...but think about it this way.

These companies have lost a revenue stream.

It is plausible to me that this is an attempt to recover that lost revenue.

It's more than just "plausible," in my view.

Jim

Yep. The more I think about it it is really crystal clear.

I see their efforts going over like a lead zeppelin

Not the band who actually did quite well.



Blob
--
Don't try to follow me, I have a cab waiting. EEEEEEEEradicator!

fuziwuzi
Not born yesterday
Premium
join:2005-07-01
Atlanta, GA
said by jseymour:

Which is really a non-point, because he has absolutely no clue whatsoever as to what my experience and knowledge are.

I made no reference to your experience. However, you're questioning THEIR experience and inferring that yours is superior. I have to wonder how you can do so with any credence? Since you proffer to have all the answers, why haven't you capitalized on that knowledge more prominently?
--
Teabaggers: Destroying America is Priority #1

BimmerE38FN

join:2002-09-15
Boise, ID
kudos:1
Reviews:
·CableOne
I don't think it's spam there after battling...there after more secure encryption methods to keep the NSA of looking at your info...I hope they succeed in helping the general population in keeping prying eyes from looking at our emails. I'm all for it. Nothing wrong in adding too or going to a different format for safer emails and communique. Lets see what they will do next year.

tshirt
Premium
join:2004-07-11
Snohomish, WA
kudos:5

Re: Completely Unnecessary

But part of what's broken about email is the spam and virus generators.
Being really secure also would allow you to trace each mail back to the true source, and abusers could quickly be banned.

jseymour

join:2009-12-11
Waterford, MI
said by BimmerE38FN:

I don't think it's spam there after battling...

It's not. That's why I wrote "would have the happy side-effect" (emphasis added)

Jim

annny9998

@qwest.net
I am also a supporter of creating another protocol for secure email messenging -- lets see what they build, Im very interested.
ptbarnett

join:2002-09-30
Lewisville, TX
said by jseymour:

Use the SSL/TLS/STARTTLS versions of the above protocols and there's your end-to-end security.

No, the message will be readable on every server (after receipt). And, you have to depend on every SMTP server in the chain between sender in receipient to use SSL/TLS. Finally, even if it is encrypted, all someone needs is the private key for the SSL certificate (obtained illegally or by court order), and they can decrypt most SSL protocols with a man-in-the-middle attack.

For end-to-end encryption, the message itself must be encrypted, with a key known only to the receiver. S/MIME can be used for this. But, it has one remaining problem: the meta-data in a message reveals significant information: the sender, the recipient, and the path between the sender and the receiver.

I read the DarkMail Alliance's announcement, and they appear to be addressing the issue with metadata as well. I'm not sure how, but I'll be interested to find out.
TuxRaiderPen

join:2009-09-19

Re: Completely Unnecessary

said by ptbarnett See ProfileNo, the message will be readable on every server (after receipt). And, you have to depend on every SMTP server in the chain between sender in receipient to use SSL/TLS.[/quote :
Not entirely... we are setting our OUTBOUND to REQUIRE SSL/TLS and any INBOUND must be SSL/TLS.

Thus if we send a message TO YOU FROM US *your* SMTP server MUST SUPPORT SSL/TLS or plain and simply were not going to be able communicate, period.

Same thing sending to ME... if your server doesn't support outbound SSL/TLS, then your not sending mail to us. as when you can't honor the SSL/TLS request, we send a "Go away message!" Click! Connection dropped.

Thus all inbound and outbound connections will require this... and if you don't we disonnect... We are alerting our major interactions, most probably 99% are unable to support this right now, and won't be ready when we start to enforce it...

So they won't be able to email us, oh well... so be it. They will have to find another means...

We've made the choice that reducing and interfereing with the process of being snooped on is required. While it may only slow the alphabets down a little, then so be it. But it is at least not plain text as it is now.

Additionally mail servers are being internalized on encrypted file systems... so plan on showing up with a warrant and a small army.
--
1311393600 - Back to Black.....Black....Black....

Want health care? Get a job! No to ACA! No to USNHS or USHIP or anything like them!
Job = Benefits = Health care, simple.
rahvin112

join:2002-05-24
Sandy, UT
Your post displays ignorance of why Lavabit shutdown in the first place. They were court ordered to hand over their private SSL certificate to the government. This allows the government to decode every single bit of encrypted data sent to or from their servers.

None of what you suggested will be able to stop that. The whole point of this initiative is to form a transport mechanism where the keys are held by the sender/receiver and immune from court ordered disclosure of company encryption keys.

You need to keep in mind the government is charging in the owner of Lavabit with obstruction of justice for shutting lavabit down rather than handing over the encryption keys.
Rakeesh

join:2011-10-30
Mesa, AZ
Reviews:
·Sprint Mobile Br..
·Cox HSI
said by jseymour:

Millions and millions of devices all over the planet know how to "talk" SMTP, POP3, IMAP and their secure counterparts. It's not necessary to throw those protocols out to achieve more secure email.

Use the SSL/TLS/STARTTLS versions of the above protocols and there's your end-to-end security. Add encrypted mail stores. Last step: Change some of the email RFC's to tighten-up client/server relationships. There are actually things in the SMTP RFCs, for example, that prohibit rejecting email due to squirrely client identification.

That doesn't solve the problem of the government being able to demand the TLS keys, or the keys being stolen/leaked, or the server itself being compromised and the emails just being read in plaintext.

What they're aiming to do here is end to end encryption - that is, only the sender and recipient know the contents of the message. Email in its current incarnation is incapable of this, hence the need for a re-design.
ptbarnett

join:2002-09-30
Lewisville, TX

Re: Completely Unnecessary

said by Rakeesh:

What they're aiming to do here is end to end encryption - that is, only the sender and recipient know the contents of the message. Email in its current incarnation is incapable of this, hence the need for a re-design.

The S/MIME standard provides end-to-end encryption, using public/private keys. It is supported in many email clients, including Microsoft Outlook, Mozilla Thunderbird, and iOS. All you need is a digital certificate, which can be obtained relatively easily.

However, only the contents of the message is encrypted. The message meta-data, including sender, recipient, and the route of the message from sender to receiver, is still "in the clear". Traffic analysis can yield quite a bit of information from this data. The DarkMail Alliance has implied they will address it, but I'll be interested to see how they do it.
TuxRaiderPen

join:2009-09-19
Exactly! What I am implementing... along with moving email servers internal....

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Necessity is the Mother of Invention

I really hope these guys come up with something that will be completely safe from the prying eyes of bad guys (like the US Government and others), yet simple enough for granny to use. There are a lot of things in our beloved Internet that could use improvement and hopefully people will begin to seriously address them now. "Because we've always done it that way" just doesn't cut it any more. "Build a better mouse trap and the world will beat a path to your door"; Here's hoping for a LOT of new and better mouse traps.
--
"when the people have suffered many abuses under the control of a totalitarian leader, they not only have the right but the duty to overthrow that government." - The U.S. Declaration of Independence
moes
Premium
join:2009-11-15
Cedar City, UT

tired of having to use subjects

I had a huge thing typed up, but then remembed, people support this shit, while I support privacy, I do not support services like this, it allows that element in society we are trying to stop.

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: tired of having to use subjects

said by moes:

while I support privacy, I do not support services like this, it allows that element in society we are trying to stop.

Yes, it allows people to be free... how awful.
moes
Premium
join:2009-11-15
Cedar City, UT

Re: tired of having to use subjects

you know I have zero idea how to respond to this without pissing you off or getting a mod after me or whatever. so all I will say, "free" never had it.
Ostracus

join:2011-09-05
Henderson, KY
Freedom without responsibility frees us from blame.

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: tired of having to use subjects

said by Ostracus:

Freedom without responsibility frees us from blame.

That's the very first line of the NSA handbook!!!
WhatNow
Premium
join:2009-05-06
Charlotte, NC
Reviews:
·Time Warner Cable

Re: tired of having to use subjects

It also allows the criminal element to do their thing without getting caught or convicted. The other side is when criminals win and you go to the police to recover your identity or bank accounts and the police tell you they can't obtain any evidence that will help. Sorry your out of luck.
With all technology there is always a good use and a bad use. One example is the Boston Bomber. The NSA has all this info but did not spot the older brother. Their problem is they are adding so much hay to the stack they have lost sight of looking for the needle.
Your best defense is be careful who you elect many times the politicians the wrap themselves in the Flag and use Liberty and Privacy the most are sometimes the ones that will use the info on their opponents the quickest when the get reach a position of power.

meeeeeeeeee

join:2003-07-13
Newburgh, NY

Re: tired of having to use subjects

There is absolutely no reason to become a fascist state so that the police can catch criminals. How you can even claim this is beyond me. The NSA has thrown a net covering every square inch of every ocean while claiming that they are trying to take a guppy out of a fishbowl AND they have yet to come even CLOSE to catching the guppy. It's absurd!
--
"when the people have suffered many abuses under the control of a totalitarian leader, they not only have the right but the duty to overthrow that government." - The U.S. Declaration of Independence