What is Reddit's opinion of
Lavabit?
From 3.5 billion Reddit comments
23 reviews of this app found across Reddit:
The TL;DR answer is we can't just fix the internet.
The long answer is that, fixing the 'internet' would require an unprecedented level of Global co-operation. There are millions of servers, thousands of ISPs, Backbone providers, cable services that would have to work together and hundreds of governments that would be involved.
The push to move us away from HTTP1.1 which was born in 90's and is now over 20 years old, is taking forever, heck the RFC for HTTP2.0 is massive and the shift will be incredible.
But the reality is is that most governments want to try and know what you are doing online. Privacy is a hot button topic and most governments want backdoors, and by inherent nature adding a back door is not secure in any way, shape or form.
China for instance would never join a move to make the internet a fully encrypted bastion, so it's residents will still be forced to rely on 3rd party applications to do this for them.
GCHQ in the UK and the NSA in the US don't want you to be encrypting your emails with secure keys because they want to be able to retrieve them and read them if they think you are up to no good.
And on top of that companies want to do it too. GMail and Yahoo both read your emails to inject adverts into their web email services that they think are relevant based on the content of those emails.
There is a history of governments taking down services because they won't turn over encryption keys and expose data (take a look at Lavabit as an example. You can also read this wiki article).
So when you consider these factors:
- Un co-operative governments
- Greedy corporations
- Lots of old hardware that doesn't get updated often
- The sheer volume of internet traffic
You can see that overhauling the internet in that fashion is a nigh on impossible task. And all it would take is for one bad apple to spoil the entire batch.
He explains the shutdown here. https://lavabit.com/ He was interviewed on DemocracyNow. He denied being served a NSL, but he did hint that the FISA court restricted his access to contacting a lawyer privatly, and gave him a gag order.
Lavabit did hand over 5 SSL private keys to the Feds.
I find Lavabit's About page very dishonest:
"In 2013, we suspended service to protect our global customers when the U.S. government ordered us to release our Transport Layer Security private keys. To protect your digital privacy and freedom, we said no."
Nowhere do they say, "then we handed the keys to the Feds - sorry!".
As we see from LavaBit incident ( https://lavabit.com/) the government can levy huge fines. Probably google and apple can pay those fines and try to fight them but it would bleed into huge expensive battles.
By not paying these fines, these companies are open to legal prosecution which is yet another legal battle.
Bad rep, will definitely stop investors from investing in the companies.
Should the company lose a legal case they will be totally destroyed. So from a business perspective it doesn't make sense to directly fight government.
Most businesses try to adapt to local situation to maximize profit. For example, US corporations trying to do business in China promote bribery and nepotism which they would do far less conspicuously in US.
Also on encryption and cryptography front NSA employs huge number of scientists and if funds a lot of the research. So it has a lot of say in that area.
Koristim protonmail.ch zato jer su im serveri u Švicarskoj, a mailbox je potpuno enkriptiran (čak i duplo ako želiš).
Takve stvari ni NSA ne može probiti. Znam jer nisu uspjeli ni sa sličnim projektom Lavabit.com
Nakraju su ga morali ugasiti jer jebenoj američkoj vladi admin nije želio dati ključeve (napočetku ih je zajebao i ispisao sa greškom na papir :), kasnije su se opametili i naredili mu da ih mora predati u digitalnom obliku.
In that case you'll love Lavabit's privacy policy:
"The Lavabit servers also collect private information in the web server log files. The log files store basic information about what IP addresses access our site, what web browser was used, what file was accessed and what time that access occurred. [...] On a final note, the Lavabit e-mail servers do record the IP address used to send an outgoing message in the header of an outgoing e-mail. Because of this, it is possible for the recipient of a message to identify what IP was used to send a message."
> So you wanted him to keep the servers up while the fed squeeze him for the keys?
Feel free to actually read my words in this post, and you'll see I never said that. Your position is beyond suggestive, and it does not apply to my words or stance here.
> You are advocating that he just continue to operate his business while some of his customer are unknowingle spied on?
Once again, you attempt to place words that I have not said; I have never said anything remotely related to your ill attempt at misrepresenting my position.
By not using the best protocol available at the time for the privacy of his customers and the security of his business (Google used PFS since 2011), both were placed in jeopardy. Take your time to read my responses here, and you'll see that I don't like Lavabit's false insinuation of protecting their users while attempting to advertise their previous position as a strength, and it's hard to trust this 'new' Lavabit based on their ill reputation from not using the most secure standards that technology afforded at that time.
If I own a business and I choose to not use the most secure protocol available, and my business is compromised, I would be obligated to protect my users. However in the end, if I did hand over my SSL keys to the Feds, I surely wouldn't feel honest saying:
"In 2013, we suspended service to protect our global customers when the U.S. government ordered us to release our Transport Layer Security private keys. To protect your digital privacy and freedom, we said no."
Clearly Lavabit said yes, when they handed the Feds their SSL keys, which is not what they are currently advertising. Was it good they closed down, yes - they should be obligated to protect their users privacy.
Edit: grammar
> He did everything directly within his control to prevent that data getting into the hands of the government
He directed Lavabit to using PFS as to better protect his customers and his business model? No he did not.
> That's literally the yardstick you're trying to stick him with.
Advertising on Lavabit's new site only the part where he didn't give up SSL keys to the Feds:
"In 2013, we suspended service to protect our global customers when the U.S. government ordered us to release our Transport Layer Security private keys. To protect your digital privacy and freedom, we said no."
That quote misrepresents Lavabit's stance on security, privacy, and their willingness to be as technically competent as possible. Period.
Try as you may to cloud the conversation with emotional conjecture, but you are the one who consistently skirts around the facts. Have a great day :)
> he gave them the keys and then TORE IT ALL DOWN so said keys were worthless.
The Feds possession of SSL keys in conjunction with intercepted Lavabit data is worthless? What's well documented is that other companies used PFS in 2011; like it or not I'm not an apologist for companies that don't do their best to protect their users. It's important for companies to not misrepresent facts, so potential customers can make informed decisions about the companies previous handling of private data.
Lavabit is what Edward Snowden uses...they shut down a few ears ago when they refused to give away the email encryption they use..... Lava bit came back online JANUARY 20, 2017....... wonder why?!?!?!
January 20th, 2017
Fellow Citizens & Lavabit Users,
...
Today, the democratic power we transfer to keep identities safe is our own. With your continued patronage, we will restore privacy and make end-to-end encryption an automatic, ubiquitous and open source reality.
In Freedom, Liberty & Justice…
Ladar Levison Owner and Operator Lavabit LLC
I, too, had a paid account before they shut down. The only thing I think you can do is contact their support via email. Whomever is running it now is not responsive; or, they weren't in my case.
https://lavabit.com/support.html
At the bottom is the "Contact Us" form. I would not trust Lavabit if my life depended on it.
True, but would a company, like Signal for example, abandon their “zero knowledge” business model for a “crypto + plain text” model, and if they did how would we know?
Or would OWS pull a Lavabit and hand over the encryption keys, and publicly wave the “we shut down & resisted” flag, and dishonestly obfuscate their previous snitch in their new business?
”In 2013, we suspended service to protect our global customers when the U.S. government ordered us to release our Transport Layer Security private keys. To protect your digital privacy and freedom, we said no.”
Seems Lavabit now fools a lot of people with their half truth advertisement. What if OWS were to switch up their security model, and never ‘shut down’ like Lavabit? Maybe Lavabit never really shut down, maybe it took them a bit to implement a “crypto + plain text” model.
Speculative yes, but also a valid concern considering the US Deputy Attorney General’s stance on backdoors.
Lavabit was US based. I heard awhile ago that it was being resurrected from the dead, but I don't know anything more about it, it's website is https://lavabit.com/
That said I'd highly advise against US based email services. Lavabit was originally shut down to avoid complying with a government order to hand over all data on Snowden, who used the service back then.
It's likely that any US based service will either face the same fate as lavabit did back in 2013,or will comply with government and other organizations to avoid having to close their business.
I found links in your comment that were not hyperlinked:
I did the honors for you.
^delete ^| ^information ^| ^<3
while i really like what lavabit is doing they are not there yet:
Lavabit questionpage: >How do I switch between modes (Trustful, Cautious, Paranoid)? Currently we only support Lavabit Flow, which allows users to operate in "Trustful" mode using any POP or IMAP client. While we've developed command line tools, and libraries with DIME support, we are still working to integrate them into full fledged applications suitable for customer use. We're working hard to get these clients finished quickly, and welcome your help with the effort.
Lavabit securitypage: >Trustful Mode The server handles all privacy issues requiring users to trust the server. Accounts operating in Trustful mode send messages using the Simple Mail Transfer Protocol—SMTP— and receive messages using the Post Office Protocol—POP—or the Internet Mail Access Protocol—IMAP.
>Cautious Mode The server is only used to store and synchronize encrypted data, including encrypted copies of a user’s private keys and encrypted copies of messages. Cautious mode provides a comparable user experience to email today—while minimizing the trust placed in the server.
>Paranoid Mode The server will never have access to a user’s private encrypted or decrypted keys. You have complete control over your information. You can leave it on one device if you like. Or attain perfect forward secrecy by rotating your key and destroying old keys—thus making your messages permanently unreadable.
You will want to wait for Cautious Mode, otherwise Proton is just further down the road right now.
I've been seeing everywhere that Lavabit doesn't have end-to-end encryption, but they say they do right here on their website. Are they lying? Has it been tested or verified?
The annual prices will be 50% for a while, kind of a pre-order deal (https://lavabit.com/want-lavabit.php)
During our limited launch and DIME migration (which will end soon) we are pre-registering new Lavabit users at ½ the price of future subscriptions. Sign-up today for future Lavabit service, and you will receive a promotional code redeemable at launch ensuring your price will remain the same for the life of your account.
5 GB storage, 15 dollars a year (normal price 30 dollars) 20 GB storage, 30 dollars a year (normal price 60 dollars)
> But yeah, that text you linked is pretty much useless and don't debunk anything.
While I might agree, quoted text is just as useless as PGP signed canary. If they lied on their /policy page then they might lie on canary too. You can decide to trust both or neither.
Unless they got court order ordering them that they have to keep whole domain riseup.net as it was and running. But in that case court order could also include demand that canary must be updated. (I am not familiar with US law so I dont know is that is possible)
Similar thing happened with Snowdens email provider LAVABIT. They decided to pull the plug.
Also important: If you trust canary and If canary doesnt get updated That doesnt mean that court order/national security letter/warrant and gag order on riseup.net has anything to do with WIkiLeaks. If might be regarding another account.
Can US court under The Homeland Security Act/Espionage charges demand seizing and decrypting of WikiLeaks connected accounts on riseup.net? We need law expert here to chime in.
"An error occurred during a connection to cloudmining.butterflylabs.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)"
Same thing lavabit did under NSA pressure https://lavabit.com/
what do you see?
The service is amazing, essentially a bunch of nerds from Texas who got together and said fuck you gmail. Though I wouldn't use it without an email client, try mozilla thunderbird.
https://lavabit.com/apps/register
Basic account, no adds, slightly better(better than gmail) adds but no tracking like Google does, then there's pay accounts, and they can do quite a bit.
Any idea where they keep their servers? Ideally, I'd like something out of Uncle Sam's hands. I believe there are privacy-friendly jurisdictions in Germany and Sweden?
edit: not thrilled with Lavabit's privacy policy. "the Lavabit e-mail servers do record the IP address used to send an outgoing message in the header of an outgoing e-mail. Because of this, it is possible for the recipient of a message to identify what IP was used to send a message. We record this information in the message header so that law enforcement officials in possession of a message that violates the law can identify the original sender." Covering their own asses for the police, but still, I'm not really happy . . . probably just gonna bite the bullet and fly with Tormail. I really like what they're saying on their homepage.