[thecodeore]

How is it the Fault of Lavabit?

SSL is a standard secure communication protocol of the internet, it is not lavabits design and it is impossible for Lavabit to modify while still keep interoperability.

You do not seem understand the underlying problem, as many people are misinformed as to which key the government was requesting., They WERE NOT asking for the key of the private inbox data, they were asking for the GoDaddy Signed SSL key that encrypts the web browser session from the Lavabit User to the Lavabit server, not the user level key for the encrypted mail box stored on LB servers

This is the same protocol that HN uses for this very site, Amazon, Gmail, and thousands of other sites use every day to secure communications between public servers and the users of those servers

[res0nat0r]

> SSL is a standard secure communication protocol of the internet, it is not Lavabits design and it is impossible for Lavabit to modify while still keep interoperability.

Correct. If Lavabit wanted to be 100% immune from these type of subpoenas, then they would have designed the system to never have been accessible this way. I'm guessing (just like Hushmail) that having a proper end-to-end type encryption, like forcing the users to use some sort of PGP on their end would reduce uptake, thus preventing them from having a viable business model, so they compromised in this way.

Just because SSL is a standard etc is irrelevant. The government is going to use its subpoena power to get to the information they have reasonable suspicion is being sheltered by Lavabit. If the least intrusive method unfortunately exposes everyones data, well that really is what they call "tough luck."

[thecodeore]

Further on the "tough luck" point, that is not how our legal system is suppose to work, the government infact does not get access to any information even if they have a reasonable suspicion it is being "sheltered", there are all kinds of limits that are suppose to exist, and the "tough luck" part is suppose to be the burden of the GOVERNMENT not the people,

[tedunangst]

You should probably cite some sources for your theory of how the legal system is supposed to work.

[thecodeore]

US Constitution, Federalist Papers, 100's of years of case law, the very concept of innocent until proven guilty, all that supports the notation that the burdens are placed upon the GOVERNMENT not the people.

THe laws allowing for Pen Trap's are very clear that the pen trap must not cause undue hardship on the business in question, and there are simliar limits on all of the powers of government

The idea that the government has, or should have, unlimited power to destroy businesses and individuals in the pursuit of "justice" is not only ridiculous but very dangerous

[tptacek]

Could you perhaps cite one case in the hundreds of years of case law that supports the argument that privacy concerns override the right of the courts to every man's evidence?

[thecodeore]

You really do not understand what is going on here.

Hushmail would have the exact same problem, Hushmail is not all that different from Lavabit.

When you load a message from your hushmail encrypted inbox it is DECRYPTED on the server side using the password you provided at login, then the HTML representing the email contained in your inbox it is then ENCRYPTED by the web server using SSL and Signed Certificate that is recognized by a web browser, in Hushmails case that CA is thawte, in LB case the CA was GoDaddy and sent to you.

ALL HUSHMAIL USERS share the same SSL Encryption from the Hushmail server to their Browser, this is how the web works. There is no changing at least not by a single company.

The only way around that would be to not use HTTP, or web browsers. But then you could create an entire new messaging system like BitMessage, but LavaBit was attempting to give people private EMAIL, not create a new messaging protocol

[res0nat0r]

Exactly.

This has no bearing again whatsoever on what the government can subpoena. Just because it "sucks" that you've designed your system that if the feds need access to one account you've configured it such that one must grant access to everyones account when you have to comply is par for the course.

You could say that the blame for Lavabit being shuttered is actually due to the technical design of the site and the compromises made for connivence. You should blame the site creator for that, not the USG for exploiting it.

[thecodeore]

Why should I blame the site creator?

I do not believe the USG has the right to the SSL keys, period

But it is clear you believe that the USG should have unlimited power with free reign to do whatever it wants.

Then do you believe that power extends to forcing a business or indivual to commit fraud? Lavabit had an agreement with both its customers and its business partner GoDaddy to NOT reveal the SSL Keys to a 3rd party, the second it was forced to do so, it had an obligation to disclose those keys were compromised, failure to do so is fraud.

Do you believe the USG should or does have the power to force people to commit said fraud