Off-topic: more details emerge on Lavabit case

[uakf.b]

You probably have heard a lot about the unconstitutional surveillance of innocent American citizens that the "National Security Agency" operates. Here's some details about an event with Lavabit's shutdown showing just how far the U.S. government is willing to go to impose its forceful invasion of every citizen's privacy and the subversion of cryptographical systems.

At the beginning of July, Lavabit was ordered to essentially divulge the login details of a specific user. This was a reasonable measure. However, this yielded no data to authorities because of Lavabit sensably encrypts its data.

Far more concerning, authorities proceeded to order Lavabit to release it's SSL private key. This means that any traffic EVER sent to or from Lavabit's servers with that key would be transparent to whoever had access to the key and had recorded the data. Lavabit would have had to trust the government for all of its electronic security, including the private data of the hundreds of thousands of Lavabit users; since the government has never been good at protecting sensitive data, they certainly didn't deserve such trust. Thus, Lavabit had only the option of closing down remaining, which it did on August 8th, 2013.

SSL encryption is critical to Internet infrastructure. It's what prevents anyone from sniffing your passwords and other transmitted data when you access HTTPS-protected websites in public Wifi (including https://entgaming.net) or send an email via SMTP+SSL. Having the private key implies being able to decrypt all traffic for a given server, rendering these cryptographic measures useless. Authorities apparently decided that the activities of a single user warranted the transparentization of all users. This is like authorities compiling a plaintext list of usernames and passwords, ready to be exploited by anyone with malicious intentions, for every Google user, because one user sent out an email that authorities didn't like.

Not only did they did all this, but they also silenced Lavabit by giving them a gag order (making it illegal for them to disclose any information about what authorities demanded from them) and ridiculously fined them thousands of dollars each day that they did not comply. An appeal usually takes months.

We've already seen how the government has attempted to weaken cryptographic systems so that they are easier for them, and anyone else, to decrypt. Now, it seems they're willing to be even more open about it.

ENT Gaming will be reviewing our SSL software. In particular, we will enable perfect forward secrecy (PFS); this means that even if an SSL key is compromised, any communications encrypted with that key with PFS still will be resistant to decryption.

Read more at http://arstechnica.com/tech-policy/2013 ... s-ssl-key/

[Diablo_]

I like how much you care about online privacy thanks for your efforts!

[DonaldtheDuckie]

Yeah what Diablo_ said. This was really interesting reading uakf.b. TY for taking your time to share this with us.

[Medicca]

You are awesome!