SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
17 Apr 2014

Lavaboom builds encrypted webmail service to resist snooping

A new webmail service called Lavaboom promises to provide easy-to-use email encryption without ever learning its users’ private encryption keys or message contents.

Lavaboom, based in Germany and founded by Felix Müller-Irion, is named after Lavabit, the now defunct encrypted email provider believed to have been used by former NSA contractor Edward Snowden.

Lavabit decided to shut down its operations in August in response to a U.S. government request for its SSL private key that would have allowed the government to decrypt all user emails.

Lavaboom designed its system for end-to-end encryption, meaning that only users will be in possession of the secret keys needed to decrypt the messages they receive from others. The service will only act as a carrier for already encrypted emails.

Lavaboom calls this feature “zero-knowledge privacy” and implemented it in a way that allows emails to be encrypted and decrypted locally using JavaScript code inside users’ browsers instead of its own servers.

Security a priority

The goal of this implementation is to protect against upstream interception of email traffic as it travels over the Internet and to prevent Lavaboom to produce plaintext emails or encryption keys if the government requests them. While this would protect against some passive data collection efforts by intelligence agencies like the NSA, it probably won’t protect against other attack techniques and exploits that such agencies have at their disposal to obtain data from computers and browsers after it was decrypted.

Security researchers have yet to weigh in on the strength of Lavaboom’s implementation. The service said on its website that it considers making parts of the code open source and that it has a small budget for security audits if any researchers are interested.

Those interested in trying out the service can request to be included in its beta testing period, scheduled to start in about two weeks.

Free Lavaboom accounts will come with 250MB of storage space and will use two-way authentication based on the public-private keypair and a password. A premium subscription will cost €8 (around US$11) per month and will provide users with 1GB of storage space and a three-factor authentication option.

“In addition to your key-pair and password we can either send you a randomly generated code or you can use the OTP-feature of a YubiKey. Or even both. We strongly recommend using YubiKey,” Lavaboom said on its website.

Public-private keys used

The service uses the popular OpenPGP email encryption standard that’s based on public-key cryptography. Each user will have a public and a private key that will form a keypair. The public key will be advertised publicly and will be used by other users to encrypt messages sent to the key owner and the key owner will then use his private key to decrypt those messages.

“Key handling is a very sensitive issue,” Lavaboom said in a technical FAQ section on its website. “We let you download your keypair during registration. This is to ensure that your key remains in your possession.”

Lavaboom’s JavaScript code and the user’s private key is stored in the browser’s cache, which leads to some limitations. For one, this ties the key to a particular browser and makes accessing the account possible only from the device where that browser is installed.

“Never clear your cache from Lavaboom,” the email service provider warns on its website. “We do not offer password recovery, since we can’t! Once you flush your private key, all your data stays encrypted until you somehow rediscover your private key. We will not provide you with any refunds if you lose your private key.”

Because of this implementation, the service is also incompatible with tools like the NoScript security extension for Mozilla Firefox that blocks JavaScript code.

Lavaboom claims that it doesn’t know the exact locations of its servers and doesn’t have physical access to them, making it more difficult to respond to government requests for data.

“If we should become scrutinized by law enforcement we rely on a severe public outcry, since we are under jurisdiction of the German law and the best privacy laws in the world,” the email service provider says on its website. “If we should ever be forced by the BSI or the BND [Germany’s information security and foreign intelligence agencies] to give up all our data, rest assured that we do have something in place that will destroy our hard disks in a matter of minutes and turn them into little more than coasters.”

Tags:
Lavaboom Snowden USA data protection
Source:
PCWorld
2013
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015