I came across this article outlining historical operation of Lavabit's
services.
http://highscalability.com/blog/2013/8/13/in-memoriam-lavabit-architecture-creating-a-scalable-email-s.html
It mentions in two separate places that they stored users passwords in
plaintext to allow key generation
On 15 Aug 2013, at 00:01, Tom Ritter t...@ritter.vg wrote:
On 14 August 2013 18:29, Bernard Tyers b...@runningwithbulls.com wrote:
I came across this article outlining historical operation of Lavabit's
services.
On 14 August 2013 19:11, Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:
Yes, you're right. My mistake. But is my second question not still valid? If
SSL was compromised would the user not then be compromised?
Is:
…we generate public and private keys for the user and then encrypt the
On 15 Aug 2013, at 00:20, Tom Ritter t...@ritter.vg wrote:
On 14 August 2013 19:11, Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:
Yes, you're right. My mistake. But is my second question not still valid? If
SSL was compromised would the user not then be compromised?
Is:
…we generate
On 14 August 2013 19:30, Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:
IF, (big IF) my understanding of Lavabit's architecture is correct,
then if you gained access to the user's SSL session, and then also
access to Lavabit's server where the user's data and (encrypted)
private key is stored
