|
|
|
|
|
|
by mediocregopher
4593 days ago
|
|
|
Lavabit's model involved sending/receiving cleartext data to/from the server, and you had to trust that the server-side would not store that plaintext. In our model no unencrypted data, except for the public key, is ever sent to the server. All encryption is done inside your browser. For your second question, all resources for the site, including javascript, are served over SSL. This will prevent about 99% of MITM tampering attacks. While we can't overcome the inherent weakness in SSL, or guarantee against compromise on the server-side, we are working on a browser extension which will check the code you receive from the server against what is in the repository, so you can at least be alerted of any inconsistencies. And since the website is all open-source, we're going to make it simple to host it yourself, if you want to be extra-sure that it's not compromised. EDIT: By "website" I'm referring to the frontend, in-browser code |
|
|