Lavabit was an encrypted webmail service founded in 2004 by Ladar Levison, it closed on August 8, 2013 after the US authorities ordered it to turn over its Secure Sockets Layer (SSL) private keys to order government surveillance activities. The US Government was interested in spying on the Edward Snowden‘s emails.
In March 2016, a redaction error in the court-ordered release of Lavabit case files confirmed that Edward Snowden was the target of the FBI that caused the termination of the secure email service.
Snowden was using the Lavabit encrypted email service and that FBI drove the company into closure because it refused to serve the US Government’s requests.
The US Government ordered to install a surveillance implant on the Lavabit servers and later to turn over Lavabit’s encryption keys allowing the Feds to access Snowden’s messages. The court order also revealed that the US Government ordered not to disclose the surveillance activity to third-party entities.
After a few weeks of legal dispute, Levison shuttered Lavabit refusing to become not become complicit in criminal surveillance operated by the US Government.
“After 38 days of legal fighting, a court appearance, subpoena, appeals and being found in contempt of court, Levison abruptly shuttered Lavabit citing government interference and stating that he would not become “complicit in crimes against the American people”.” reported the Guardian.
US authorities revealed the mysterious circumstances behind the Lavabit shut down by publishing a collection of case files that were not correctly redacted allowing to discover the target of the FBI activity, the email address [email protected].
The document was integrally published by Cryptome, it is visible the Snowden’s email address was left unredacted.
The documents were publicly disclosed in the result of Levison’s battle against the US Government, he filed a motion in December 2015 that prompted the court to order the release of files related the Lavabit case.
Now, Levison has announced that he is reviving the Lavabit service fixing the SSL issue and implementing new privacy-enhancing features.
The Lavabit CEO is releasing the source code for an open-source end-to-end encrypted global email standard, dubbed Dark Internet Mail Environment (DIME). The code aims to avoid government surveillance and hides the metadata.
“Developed by Lavabit, DIME is an open source secure end-to-end communications platform for asynchronous messaging across the Internet. DIME follows in the footsteps of innovative email protocols, but takes advantage of the lessons learned during the 20-year history of PGP based encrypted communication. DIME is the technological evolution over current standards, OpenPGP and S/MIME, which are both difficult to deploy and only narrowly adopted. Recent revelations regarding surveillance have pushed OpenPGP and S/MIME to the forefront, but these standards simply can’t address the current privacy crisis because they don’t provide automatic encryption or protect metadata. By encrypting all facets of an email transmission (body, metadata and transport layer), DIME guarantees the security of users and the least amount of information leakage possible. A security first design, DIME solves problems that plague legacy standards and combines the best of current technologies into a complete system that gives users the greatest protection possible without sacrificing functionality.” states the description of the standard published by Lavabit.
The Dark Internet Mail Environment (DIME) the standard will be available on Github along with a mail server application dubbed Magma that was designed to allow users with existing email clients to easily use Lavabit service.
“To learn more about DIME & Magma we invite you to join the Dark Mail Technical Alliance https://darkmail.info/ where you can find the latest code & specifications, provide feedback, and contribute to the development effort.”
The DIME standard implements the ‘Trustful’ encryption mode that requires users to trust the server to manage the encryption and their keys.
“The server performs the encryption on your behalf, and as such, you must trust that the server will not be rewritten in such a way that it captures your password, or peeks at your messages during processing,” Levison said.
The DIME standard also implements a more strictly control over their encryption keys, it allows the users to choose the Cautious Mode and Paranoid Mode, for example, Paranoid means Lavabit will never store a user’s private keys on its server.
Lavabit service will only be accessible to existing customers in Trustful mode, others can pre-register and wait for it.
(Security Affairs – Lavabit, Edward Snowden)