Most people consider email security in the context of a user of the service, or assessing enterprise risk. Levison has an additional perspective. In 2004, he founded Lavabit. Unlike other providers, inbound email, as well as email between Lavabit users, was encrypted in such a way that they could only be read with the user’s password. Unless Lavabit made software changes to intentionally hack their own service, emails could only be read by the intended recipient. In 2013, the company suspended its operations. As the world later learned when Levison was ungagged, and court records were finally made public, Lavabit had the privilege or misfortune (depending on your perspective) of being Edward Snowen’s email provider, and the company was the subject of aggressive action by the US government. Among other information, the FBI sought Lavabit’s TLS key so that they could intercept user passwords.
One of the ways email differs significantly from postal mail is that, unlike postal mail, most people leave their email in the custody of a service provider. This enables mobile access from anywhere. It also provides hackers, foreign governments, law enforcement, and intelligence agencies the opportunity to access email from the service provider, usually without the owner of the email being aware. Until recently, US law considered emails on a server older than 6 months to be “abandoned” and thus did not require a search warrant.
The only effective way to protect email is strong end-to-end encryption. Optional email encryption schemes such as as S/MIME and PGP have existed for decades, but are seldom used because they are neither mandatory nor convenient. They also protect only the email body, leaving important metadata, including the To, From, and Subject lines, exposed.
Levison has spent much of the last three years working with experts to design the new system. He assembled a team to implement it; he had to let them go earlier this year due to lack of funds. The Dark Internet Mail Environment (DIME) standard was finalized about a year ago, and makes email security automatic. Supporting standards, such as the Dark Mail Access Protocol (DMAP) are being completed.
Asked about his development schedule, Levison replied, “I’m targeting early January to begin field testing the server.” He is in the process of raising capital for an external code audit and to relaunch Lavabit with his new secure email standard.
To succeed as a new global email standard, other service providers must be convinced to implement DIME. To facilitate adoption of the standard, Levison will be releasing the new mail server as free open source software. New client software that implements DMAP will be required to take full advantage of the security benefits, but as a bridge, users can benefit from improved security by taking advantage of “trustful” mode.
Among the challenges Levison has faced are limited resources and difficulty finding skilled volunteer programmers to work on the open source project. “The task is sufficiently difficult that few have had the time to learn the skills, and then still make contributions to the implementation,” he explained.
It has been a long road, and Levison has a lot of work in front of him. But he remains very optimistic: “I feel like I’m really close, which is why I’ve been focused on raising venture capital as of late. I’d like to have an external code audit done, and hire a small team to support the launch, and finish implementing the client apps.” But, Levison added, “I’m committed to going it alone if necessary.”
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…