Convenient, maybe, but prematurely shutting down secure email because you anticipate the government will come out to get you effectively does the government's job for it.
Albert Hirschman wrote a famous book called "Exit, Voice, Loyalty" about different styles of responses to conflict. Different strategies are certainly called for in different situations. But most exit strategies (outside of suicide) rely on retreats to spaces outside the sphere of influence of the conflict initiator.
The existential space of the Internet is not the infinite, however. Although a nurturing environment for human freedom, it's also a fragile ecosystem, and giving up on a couple key nodes, in its current form, is enough to destroy it, shadowy dreams of darknets notwithstanding. When freedom retreats from all Internet spaces in the USA, that is plausibly more than enough to kill it as a haven for freedom anywhere.
It's not the end of freedom or anything like that: maybe it's strategic to retreat to spaces more decentralized and harder to compromise than the Internet, and other fights can be fought and won in those. But that's not a gamble I want to make, especially because the fight for Internet freedom hasn't been lost yet! Not by a long shot.
ETA: This came off harsher than I anticipated: I had no idea that Silent Circle is a project of Phil Zimmerman. Damn, that's dispiriting. Time to pop open a beer.
ETA2: Yeah, I think I jumped to conclusions about their central motivation and shouldn't have implicitly doubted as much their stated reasons. Boo me.
I'm a Silent Circle employee, but I'm not speaking in any official capacity...
The issue with email is that we _had_ to touch plaintext at times. People expect email to work universally, so we had to accept unencrypted mail from outside clients, which we then encrypted for our users. That is a major departure from our other services. It's something we disclosed quite clearly, but we've decided that even with the disclosure, it's simply not worth the risk. We don't even like the idea of storing ciphertext (and obviously, running a mail server means you end up storing a fair amount if it). You can't be compelled to give up what you don't have.
This isn't a 'retreat.' Silent Mail was used by a relatively small percentage of our users. Silent Phone and Silent Text are services that we can provide 'responsibly' (in that we don't ever see plaintext, and hold ciphertext in extremely limited situations). They are our core services, and provide our users with the some of tools necessary to communicate securely and privately. We aren't giving up the fight by any means.
It would be nice if there was an extension to SMTP which allowed the receiving server to inform the sending server of the recipients public key, so that the message could be encrypted at the sending servers end before being passed on. That way, the receiving server wouldn't see the plain text.
Silent Circle had a feature where people could upload their public keys to their keyserver and then Silent Circle would encrypt any outgoing email to that person with their key if it wasn't already encrypted. Something like that, but more automated.
As for meta-data, when I looked at Silent Circles services, they were adding Received headers to email which contain the senders IP address. I know that's common, but it's certainly not required. Even Google don't do that with GMail. There was definitely plenty of room for improvement. How about a mail service which packs the entire message including headers into the MIME body of a new message before enrypting. So the original message headers are all secured too. It wouldn't look as nice in the receivers mail client, but it would be much more secure.
Can't you offer PGP-only e-mails, and just tie everyone's public key to their "profile" on the service? Then, even if they don't specifically have that person's public key, they can still send them e-mails through PGP as long as that other person also has a Silent Circle e-mail account (because you already have that person's public key, so you can connect the two).
And of course you should not offer e-mail outside of Silent Circle in any way. I actually can't believe you did that. Silent Circle was supposed to be all about security, not "convenience". If some customers didn't like that, then they shouldn't use it. Now look at the mess you created because you thought it's good to have the convenience of sending anyone an e-mail. You shouldn't have offered that to begin with.
So see if you can come back with a PGP-only e-mail in a way that you couldn't add some kind of spyware to get people's private keys if NSA asked you to do it. It might also be a good idea to offer the maximum encryption level (RSA 4096 bit?) if you can afford it (or ask them more money for it), since PGP is more vulnerable to cracking than say OTR, especially if they target some of your customers. And use forward secrecy for the TLS channel.
Is there any way you could use the Bitmessage protocol? Or whatever Retroshare is using for e-mails?
The offering was PGP-only email. The server encrypts the message when it's sent so the user doesn't have to install PGP. That's why plaintext was visible.
This sounds sensible. However isn't the same problem present with "out-circle access" in voice calls?
"Silent Phone subscribers can place and receive calls 'outside the circle' from wherever they are in the world, to or from conventional phone numbers*" -https://silentcircle.com/web/out-circle-access/
OCA is a little more 'obvious' in its shortcomings. We still disclose this as clearly and responsibly as we can, but to the average, non-technical user, it seems intuitive that calling a phone that is "outside the circle" is less secure. Our choice for the brand name "Out-Circle" was very intentional.
The key difference though is in the data that we have to hold on to. With email, we had to hold on to all sorts of metadata in the email headers (no matter how it's stored, we would obviously have to be able to read it, in order to provide 'email' service). OCA has no such issue. We don't have to log any metadata. Obviously you need to assume that information is being logged _somewhere_ (again, the 'outside' part), but we're not ending up with anything that we could be compelled to hand over.
OCA is designed for a different threat model. If you're concerned about the NSA (or the USG (or more broadly the 5 Eyes) in general), then OCA isn't for you. By and large, OCA is for people that need to get their communication securely out of some 'hostile' environment, and aren't especially concerned about western governments (e.g. someone living under an oppressive regime who wants to talk to their ex-pat family in Canada, or a US business man traveling in a country known for stealing trade secrets who needs to talk to his home office about product designs).
Which isn't to say there isn't always room for improvement...
Your comment got me thinking about ways we could do a better job pointing out the limitations of OCA, and had an interesting idea for a simple way to remind folks. So thanks for making us think about it again.
> You can't be compelled to give up what you don't have.
You are a man in the middle though, could you not be compelled to funnel data in transit to govt. agencies? I mean, if the argument is that you don't want to be in a situation where you are asked to compromise privacy surely you have to remove yourself from the data handling all together.
That's still just ciphertext. The Silent Phone session negotiation is P2P (unless I'm mistaken), so there isn't even ciphertext passing through there. Silent Text uses something like OTR, so there's still only ciphertext.
"Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure."
I didn't read it as they were prematurely shutting down before the government came after them. I read it as them admitting that they couldn't secure email as much as they would like and are admitting flaws in their encryption strategy.
Not their strategy, but the protocols used to handle email. There is simply no way to send emails using standard protocols without leaking information.
In a statement to TechCrunch about whether the shut down was only because Silent Circle felt email was insecure, CEO Michael Janke tells us
“It goes deeper than that. There are some very high profile people on Silent Circle- and I mean very targeted people- as well as heads of state, human rights groups, reporters, special operations units from many countries. We wanted to be proactive because we knew USG would come after us due to the sheer amount of people who use us- let alone the “highly targeted high profile people”. They are completely secure and clean on Silent Phone, Silent Text and Silent Eyes, but email is broken because govt can force us to turn over what we have. So to protect everyone and to drive them to use the other three peer to peer products- we made the decision to do this before men on [SIC] suits show up. Now- they are completely shut down- nothing they can get from us or try and force from us- we literally have nothing anywhere.”
As someone who followed Phil Zimmerman's epic battle with the US govt in the 1990s over PGP, I am seriously bummed by this news. For someone with as much personal conviction and moral depth as Phil Zimmerman to essentially pre-emptively give up on the idea of offering truly secure email, means to me, that the US government has now crossed a certain threshold that will be very very difficult to come back from.
Think about it. It's chilling. The idea that a paragon of privacy and encryption, not to mention a legend in terms of standing up to the government for freedom, has now said "I fold" to the simple idea that an American company offers true privacy of email communication.
How long before we have government installed microphones and cameras .... Oh never mind. It's already here.
Maybe Americans will have to get their privacy tools from other countries. Think about that for a second.
it doesn't have to be surrender. It could be an acknowledgement that email is insecure by nature, that there is no good way of making it completely secure, and wanting to keep people as safe as it is possible to do so. ie; it could be a move towards /more/ privacy by saying, here, use these other tools we have where we cannot be compelled to give the USG anything. If they were shutting down everything, I would be scared, sad, etc. Shutting down email they are essentially saying, we can't make this secure, and we don't want you thinking we can.
Which I would argue is correct. It seems to be intrinsically difficult (to say the very least) to have a communications system that is open to anyone to send messages to a given address (even if the sender is not known), and supports queueing messages for eventual delivery so that both ends don't have to be online at the same time.
The 'Pond' system mentioned elsewhere in this thread looks promising, for example, but that system doesn't allow for unknown people to send messages. This is perfect for many communications needs but can't supplant email entirely.
But I'll note if I'm reading the user guide [1] correctly that it's going to be very difficult to setup contacts, exchange messages, etc. in something like Pond, which would make its usage inherently suspicious (and liable for increased attention thereby, if we assume general domestic surveillance).
Wow. Evidently they destroyed all the data preemptively as well. No notice, just poof. You have to wonder if they thought the situation was dire enough to not give people any warning that their emails were being lost. I understand the decision from a security standpoint, but there must have been some fear up in that decision room. Applaud them for the tough decision.
"Mike Janke, Silent Circle’s chief executive, said in a telephone interview late Thursday that his company had destroyed its server. “Gone. Can’t get it back. Nobody can,” he said. “We thought it was better to take flak from customers than be forced to turn it over.”
That's harsh, but I'm glad to (finally) see an appropriate companies reaction to all this mess. Sadly, most non-technical people will not understand what such companies do and these stories unlikely hit headlines or have bigger impact on public opinion.
Excerpts:
"If you're not afraid of the NSA, then encryption is good enough. If you are, then the headers in your email leak so much information that you don't really need to decrypt... Study the other headers and there are all sorts of other things that one mailer or another leaks as well as all the servers all along the way. Most importantly, all of this is permanently stored in everyone's email archives which most of us keep lots of. This is what the NSA wants. They want to construct the social graph, the interactions, the timings. This is how they get "chatter." None of this is encrypted. This is why email is broken in ways encryption can't fix..."
I was thinking the same thing. In the past, when people have advocated replacing SMTP with something else to combat spam, that idea is always shot down with "too many clients, too much infrastructure" but if you have a new application and real demand (and it seems like there is) then you perhaps you could get enough traction to make that work.
Perhaps. Not sure I like the 'vaporizes in a week' thing. Point to point is good, and clearly something in the middle has to be designed in such a way that traffic analysis of the middle doesn't help. And like Lavabits you have to be careful that if your server infrastructure could be modified to break security, it can be compelled to be modified with an NSL and that is why I expect anything that is solved will only be solved with a server you "own" in your residence (at least in the US) to require the whole warrant process to get access to it.
Yeah, a few people have been looking at how to do things like this too (I've been talking to them); the idea being mix-net vs. onion routing, which is the big win of being async, and sensible defaults. It's a lot easier to do confidentiality/integrity/etc. on messages vs. traffic analysis resistance vs. strong adversaries, though.
Thinking, you register an "address" which can only be registered/announced once... that includes a public key (software generates private key)
When sending a message to someone, the entire envelope of a current email will be encrypted against the recipient's public key. That is the "msg", from there a crc32 of the msg is generated as a "sig" (signature), then a bcrypt of (address + sig) is generated as a "conf" (confirmation of intended recipient). The message is then addressed to a crc32 of the address... this allows for enough uniqueness so that super nodes don't get flooded, but still allow for some routing and query ability.
When you open your client, it connects to the DHT system, and then requests the sig/conf for any messages to crc32(address) then does the calculation locally to determin if a message is actually for said user. It can then request the actual message.
After N days a message should be deleted from the dht systems.
maybe have from:crc32(addr), to:crc32(addr) with two envelopes.. the outer would be encrypted against the recipient's public key.. so that the recipient could get the sender's address and their public key to decode the rest of the content...
As a general point... isnt spam something worth putting up with in order to get secure email? If there is too much spam, obscuring the legit emails, couldn't the client end filter that out?
Frankly, to take and extreme, if I were reliant on secure email for my life, spam would be the very least of my problems.
As a totally random thought, is there no way to use spam to hide and secure legit email?
Well, my initial thought was having the sender's hash could allow for a list of know offenders... but it would be easy enough for spammers to create thousands of address announcements...
If there was a push notification based email server, where the server would have to connect to the sender's server (based on DNS entry) to pull said message, it could allow for better spam filtering... but this would remove the decentralized part.
You are correct in that if I am relying on secure email for my life, then spam would be the least of my problems... but those who feel they must have secure email isn't enough to catalyst a new email system into broad use.
For what it's worth, I'm starting a new project to do just that. The project aims to enable secure mail & file sharing.
There isn't much code ATM, and the protocol hasn't been spec'd out, but I have an idea. If you want to talk more & contribute in the early protocol design phase you can find me on #gourami on freenode.
Are they shutting down preemptively because shutting down a service that has received an NSL is illegal? I'll be watching what happens to Lavabit to find out.
If they get rid of the service and the data pre-emptively, they can safely destroy the data. Once they've recieved an NSL, they have to comply with the order and provide the data (or at least the metadata) or be in contempt of court.
NSLs come with gag orders, and it's possible that the government would view shutting down a service entirely as a violation of the duty not to disclose. It gets fuzzy here, because we're speculating on how a secret court will rule on a body of secret law while working hand in glove with the NSA.
IANAL, but a reasonable guess tells me that while shutting down the service wouldn't be illegal, you would still be on the hook for the requested data. You don't pony up, the Feds would, at a minimum, charge you with obstruction of justice and consequences would follow.
"Silent Phone and Silent Text, along with their cousin Silent Eyes are end-to-end secure. We don’t have the encrypted data and we don’t collect metadata about your conversations. They’re continuing as they have been. We are still working on innovative ways to do truly secure communications. Silent Mail was a good idea at the time, and that time is past."
They are keeping other services going, just shutting down email.
We're all aware that providers can be compelled legally to backdoor aggregation points (i.e. central servers), but could they be forced to put backdoors in their client software too? What about a letter or court order compelling them to re-engineer their software to either remove strong cryptography or force all traffic through a central point, thereby killing their business?
Yes, I think the only way to solve that problem is that the providers fully open source their client code and that the client code is built and proofed by the users.
Interesting strategy. So, while they were not able to store the content of the emails, they still retained the metadata. That metadata could be subject to subpoena, and if they destroyed the data after a request, they'd be in contempt of court. Dropping the service pre-emptively lets them delete all the data before they are asked for it.
Silent Mail had to inter-operate with other mail services and users (many of whom have no desire to use PGP). That means we had to touch plaintext at times (even if it was just an incoming message from a non-Silent Mail user, prior to us encrypting it and storing it for our user).
It was different from the other products because mail inherently doesn't allow end to end encryption without a lot of manual key management (which is exactly why no one does it). Some day we would love to offer a service that _can_ do that, but email, in it's current form, can't do that for us.
Speaking personally, I'm very excited about projects like Adam Langley's Pond.
It would be up to the client to install PGP for true end to end encryption.
What I was wondering - why don't they keep the email service but reject all emails that are sent without PGP? Then people would have to go through the pain of installing PGP but they would end up with truly secure email.
I'm in complete agreement. Excellent way to kill two birds: Sunset an underperforming product and turn Lavabit's courageous decision into marketing opportunity.
Is there any standard out there for trying to create some "future" mail?
Ideally it would handle--or emulate--old email clients until they had time to be upgraded but is this even under consideration now?
I think now more than ever we should evaluate SMTP and see what we can do to either secure it or replace it.
Looking at a barebones SMTP server in Node.js I could see some ways to very easily encrypt all data but that only goes so far.. you're still receiving the normal mail headers you would get with any other platform.. I think we need to get at this data but I am so far unaware of a solution to this beyond basic TLS.
Albert Hirschman wrote a famous book called "Exit, Voice, Loyalty" about different styles of responses to conflict. Different strategies are certainly called for in different situations. But most exit strategies (outside of suicide) rely on retreats to spaces outside the sphere of influence of the conflict initiator.
The existential space of the Internet is not the infinite, however. Although a nurturing environment for human freedom, it's also a fragile ecosystem, and giving up on a couple key nodes, in its current form, is enough to destroy it, shadowy dreams of darknets notwithstanding. When freedom retreats from all Internet spaces in the USA, that is plausibly more than enough to kill it as a haven for freedom anywhere.
It's not the end of freedom or anything like that: maybe it's strategic to retreat to spaces more decentralized and harder to compromise than the Internet, and other fights can be fought and won in those. But that's not a gamble I want to make, especially because the fight for Internet freedom hasn't been lost yet! Not by a long shot.
ETA: This came off harsher than I anticipated: I had no idea that Silent Circle is a project of Phil Zimmerman. Damn, that's dispiriting. Time to pop open a beer.
ETA2: Yeah, I think I jumped to conclusions about their central motivation and shouldn't have implicitly doubted as much their stated reasons. Boo me.