THE tiny but highly regarded e-mail host Lavabit abruptly pulled the plug on its 400,000 users on August 8th. Edward Snowden, the fugitive American intelligence contractor, was a user. Lavabit’s owner, Ladar Levison, said he would rather shut the service down than “become complicit in crimes against the American people” after receiving government instructions that he says he cannot speak about. Before posting the message, he apparently rendered his customers’ stored e-mail permanently unreachable, probably by “zeroing” disk drives (using multiple passes to prevent the retrieval of magnetic “ghosts” left behind), permanently destroying the encryption keys necessary to extract archived messages, or both. Shortly afterwards Silent Circle, a firm that offers secured audio, video, messaging and e-mail said that it had killed its own e-mail system, which relied on different technology, even though it hadn’t yet been served with legal orders by the government. How do such “secured” e-mail systems work?
The internet’s standard e-mail protocols were developed decades ago, with little thought for security. Keeping messages safe from prying eyes remains jury-rigged today.
To send e-mail, a user employs software that communicates with a centralised server run by the user’s internet provider (such as AT&T or Comcast), or a third party, which includes giants such as Apple, Google and Microsoft, as well as relatively tiny firms like Lavabit. Without additional configuration, the text of a message travels over the open internet from the user’s software to the server. It thence wends its way to a mailbox on the same server or via the internet to another mail server at which the recipient has his delivery address. At any point along the way, a spy or hacker with the ability to access a server’s network can read all of these unencrypted messages. Should the snooper break into a mail server, all stored and transmitted e-mail would also be ripe for inspection.
Posted by Peter Kivuti LED at KayTouch Solutions.