[lm741]

This is sketchy. The new server no longer attempts to provide any forward security.

For the old (now revoked) site, Chrome would use: TLS_DHE_RSA_WITH_AES_256_CBC_SHA. For the new liberty.lavabit.com site, Chrome will pick TLS_RSA_WITH_AES_256_CBC_SHA with the new server. This means that instead of having to factor a 1024 bit dh parameter for each session, the FBI/NSA/etc will be able to be able to decrypt traffic to this server when they get the private key.

https://www.ssllabs.com/ssltest/analyze.html?d=liberty.lavab... https://www.ssllabs.com/ssltest/analyze.html?d=lavabit.com

[lm741]

Follow up: I emailed support@lavabit.com asking them to update their configuration and linking them to https://wiki.mozilla.org/Security/Server_Side_TLS (Thanks for posting that, jvehent)