Hacker News new | ask | show | jobs
by adekok 4620 days ago
Yes.

If you have separate server certs per user (as suggested above), then you can tell which user is using the service.

If you have separate client certs per user, then you call tell which user is using the service.

The Lavabit response to the original order was not the best, IMHO. As he was in possession of the certs and private keys, he could have decrypted Snowdon's traffic himself, and handed it to the court.

Instead, he tried to hide behind a BS "it's encrypted" defence. The court called his bluff. He lost.
2 comments
talmand 4620 days ago
I thought he offered to do that and they turned him down?

I would imagine him decrypting the data himself would cause problems in a chain-of-evidence type of way though.

link
lsiebert 4620 days ago
hmm... is there a way to obfuscate that to the outside? Can you wrap the individual certs? Or use the same cert for everyone, but do a zero knowledge key exchange for people who want to log in, and then have them authenticate with a signed document keyed to a public key they gave when they signed up for the service?

Anyway, at least in the physical security industry, security isn't about preventing intrusions. It is about delaying it and limiting it until a sufficient response can be mobilized. Perfect security is impossible

link