|
|
|
|
|
|
by jasonkeene
4637 days ago
|
|
|
You don't get it. Emails were encrypted at rest with the user's password. This was publicly disclosed by lavabit on their site. With the SSL key material the state could decrypt the user's password from network traffic. The encrypted emails and SSL key material are obtained through the courts, SSL encrypted passwords via surveillance, bob's your uncle they can read a user's email. Lavabit wouldn't need to "build" anything and couldn't argue they didn't have the technical capability to turn over SSL keys and encrypted email data. This is why he shut down, so that user's wouldn't continue to submit their passwords over the wire using a compromised SSL key. |
|
|
With Patriot 216 pen trap, they can compel full cooperation to the same standard as a CALEA covered entity, which they knew he couldn't provide as well as their own pen trap device (at least without work; they found $2k unreasonable to implement it!), so they can get a warrant for SSL keys for their pen trap. With that they can do whatever.
There may be a solution in SSL keys which can't be exported (HSMs) into the pen trap; you'd potentially be able to require a secret compatriot offshore (or via a cutout) to assist in adding a new load balancer or front end, so you'd be technically unable to comply. They could require you generate and use new keys, but users could detect that, and you could warn of this when you first set up the system.