Lavabit has revealed something incredibly important.<p>The US Government has no problem with seizing your <i>private keys</i>. It claims the right to impersonate you without your permission.<p>It no longer matters which system you use, Sovereign Keys, PGP web-of-trust, traditional PKI, they're all the same. Services based in the US can be MITM'd without leaving any traces.<p>If this is allowed to continue uncontested there will no be no way to stay secure online. The <i>only</i> solution is a partial solution, to create decentralized services. This, at least, will require the government to seize the private keys of each individual they want to track.
I'm so sick of being sickened. I hate that this is becoming the norm and we can't do anything about it. I hate to spit cliches, but is this where my tax dollars go?<p>For me, govt and internet should almost be like church and state. Where is the data around foiled terrorist plots? I just can't stomach the obtuse logic that we need to pay our taxes to employ these virtual minders. This is not what the internet is about. It just seems so incredibly difficult to mobilise and take action against this shit ...<p>Btw, Ladar ... you've been incredible in all of this (tips Stetson)
To my understanding this is what I would expect to happen. He handed over the cert to the FBI, so from a security standpoint it's useless now and should be considered compromised.
Anyone using Safari or IE apparently isn't getting a forward secure connection to <a href="https://Lavabit.com" rel="nofollow">https://Lavabit.com</a> . They end up with TLS_RSA_WITH_AES_256_CBC_SHA according to SSLLabs[0].<p>Since things escalated to the point where Lavabit had to hand over it's key rather than the data on one account the FBI obtained an initial court order for [1], anyone with a transcript of those sessions and access to the key can read them.<p>The resulting cipher suites:<p>IE 6 / XP No FS * SSL 3 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168<p>IE 7 / Vista TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>IE 8 / XP No FS * TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 168<p>IE 8-10 / Win 7 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>IE 11 / Win 8.1 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>Safari 5.1.9 / OS X 10.6.8 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>Safari 6 / iOS 6.0.1 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>Safari 6.0.4 / OS X 10.8.4 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>Safari 7 / OS X 10.9 TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) No FS 256<p>[0]<a href="https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Flavabit.com" rel="nofollow">https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...</a>
[1]<a href="http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/" rel="nofollow">http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/</a>
Consider donating to <a href="https://rally.org/lavabit" rel="nofollow">https://rally.org/lavabit</a>. Lavabit needs at least 250k to continue fighting in the supreme court.<p>See his last update on the rally page.
I've read quite a few complaints about the government on this post. My suggestion is to simply do something. You have (a) the ability to vote, so stop voting in Republicans OR Democrats (both equally as bad) OR even run yourselves. (b) send a letter to your representative, they occasionally will read the mail, plus you at least can vent your frustration at someone who CAN do something.
Can this be classified as -
<a href="http://en.wikipedia.org/wiki/Obstruction_of_justice" rel="nofollow">http://en.wikipedia.org/wiki/Obstruction_of_justice</a> ?<p>That is, I'm sure he understands that this action might be interfering with an investigation, and that it's reasonable to believe it was a willful act on his part.<p>Can you get into trouble for doing something like this?
I wondered why Safari (running on an older OS X 10.6 system) didn't report the certificate as revoked, although Firefox on the same system did.<p>The answer appears to be as described here:
<a href="http://www.intego.com/mac-security-blog/protect-safari-from-fraudulent-digital-certificates/" rel="nofollow">http://www.intego.com/mac-security-blog/protect-safari-from-...</a><p>After setting the proper options in Keychain Access, Safari reported the revocation correctly.
So I wonder, if he has been banned from revealing that he has handed over the key, does revoking it count as such a revelation?<p>At this point, the authorities have Streisand'ed their own case - anybody they were interested in would have stopped using Lavabit months ago. So they seem to be pursuing it out of pure belligerence at this point.
This is not new people! We've known for many years that MiTM was "normal" in surveillance circles. We've been saying for years that CAs are probably compromised as well. Why does it take some "revelation" to make people PAY ATTENTION?<p>This is not a technical issue. It's a rights issue. Solving it by technical means only kicks the can down the road by an exceedingly small amount of time. Fix the system first.
I'm sure this comment will be buried, but I sleep better at night knowing HN can still get its panties in a wad over tramplings of freedom and the abuse of the system -- long after the main stream media has lost interest. The young and old hackers reading these posts will no doubt start spending frontal lobe CPU cycles on solutions that will find their agile way into the public sphere in months, not years.
I cannot ignore this warning in Firefox 24 from official repository on Ubuntu 13.04. Actually, I cannot ignore outdated certificates, or those with unknown OCSP status (for example freshly issued certs) either.<p>Was there some change in Firefox's security model or is it my config? It's rather annoying.
When I viewed this page running Chrome (Version 30.0.1599.88 beta) on a ChromeOS device I did not get any warnings.<p>Interestingly, when I used chrome on my Win8 PC (version 29.0.1547.76 m), I did see the warning pop up.<p>Doing some quick searching online revealed that chrome does not appear to do online revocation checks any longer by default[1]. You can still manually turn it back on with the "Check for server certificate revocation"[2] option which is what I did.<p>[1] - <a href="http://www.macworld.com/article/1165273/google_chrome_will_no_longer_check_for_revoked_ssl_certificates_online.html" rel="nofollow">http://www.macworld.com/article/1165273/google_chrome_will_n...</a><p>[2] - chrome://settings/search#revocation
Am I reading into this right? The court declared he must hand over the private key to the SSL encryption on his server so the government could do as they wished with the traffic... and then Levison revoked the key, thus making it useless to everyone?
This is both chilling and depressing. The only reason why the general public is barely phased or even cares about this nonsense is that they don't even understand what a SSL Cert is or what it means to have it taken away.
The lavabit case highlights something interesting that we need. We need that not only individuals have privacy, but that businesses have privacy of who their users are. The same way we provide anonymity to users through centralized means, is there not a way to provide a way for service provider to have a sufficient level of opaqueness of who their customers are. You can't subpeona Service Provider A if you don't know whether Person of Interest X is using the services of A, B, C, or D, etc.