Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

GoDaddy Cancels Lavabit's Crypto Key

Lavabit owner fights court order demanding he turn over the keys to his encrypted email service to aid the FBI's Snowden investigation.

Digital certificate registrar GoDaddy has canceled the SSL key used by Lavabit to encrypt its 400,000 subscribers' email communications after Lavabit owner and operator Ladar Levison publicly revealed that he was forced to provide a copy of the key to the FBI.

Cue revocation. "We revoked all of the SSL certificates we were able to associate with Lavabit," GoDaddy spokeswoman Elizabeth L. Driscoll told InformationWeek via email. "We're compelled by industry policies to revoke certs when we become aware that the private key has been communicated to a third party and thus could be used by that party to intercept and decrypt communications," she recently told Forbes.

Levison initially resisted the FBI's demand that he give the agency a way to gather near-real time email header and routing information for an account used by former National Security Agency contractor Edward Snowden. Snowden's use of Lavabit was revealed when journalists on July 11 received an emailed invitation from "[email protected]" to a press conference at Moscow's Sheremetyevo airport.

On July 16, FBI agents visited Levison in Texas, carrying a subpoena authorizing them to install a pen register on Snowden's account. But Levison declined, arguing in court filings that giving the bureau the SSL key would then give it access to every one of his customer's communications. A judge, however, later overruled those objections, hitting Levison with a daily $5,000 fine after he printed out a copy of the key in four-point type, but wouldn't give the bureau a digital copy of the key.

[ How far can the FBI legally go with suspected computer criminals? Stratfor Hacker: FBI Entrapment Shaped My Case. ]

Rather than comply with the order, in August Levison shut down his service, thus making the FBI's attempted surveillance of Snowden's account moot. At the time, however, Levison was under a gag order concerning the subpoena, and thus could only announce the closure in broad terms to his customers. "I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit," he said in a statement posted to his website. "After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot."

Now, however, many of the documents related to Levison's legal battle with the Department of Justice have been unsealed. He's now fighting related civil contempt of court charges, and this week filed a brief seeking to overturn the court order compelling him to disclose the private SSL keys. "I want to set a precedent that government can't ask for SSL keys," Levison told Forbes last week. "It's the security tool that underpins the Internet."

After shutting down Lavabit, Levison established a legal defense fund that he said has already raised $200,000. But said he's now burned through half of that, defending himself in court.

But will Levison's legal bid succeed? In fact, George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, said in a blog post that Levison faces an "uphill battle."

"The government obtained several different court orders requiring Lavabit to disclose the key. First, they obtained a pen register order; next, they issued a subpoena for the key; and third, they obtained a search warrant for the key," Kerr said. "In order to win on appeal, Lavabit needs to show that all three methods are improper. I don't think they can do this."

The problem is that because Levison possessed the crypto keys, he would have needed to demonstrate to a judge that his need to not disclose the key outweighed the FBI's need to monitor a suspect as part of an ongoing criminal investigation. "There are things you can do which are more or less effective to protect this stuff, from a legal standpoint," said security lawyer Mark Rasch, a former federal computer crime prosecutor based in Bethesda, Md., speaking by phone. For example, when it comes to crypto keys, a U.S. website operator could trust a friend in a foreign country to hold the only copy of the key. That would force the FBI, if it came calling for the key, to liaise with its foreign counterparts to try and get a foreign court to require that the key be disclosed.

"But the best protection is to just not have it," Rasch said. For example, every customer could obtain and hold its own key, without ever giving a site administrator access to it.

Levison, however, did have the single crypto key that was able to unlock all Lavabit communications. "At the end of the day, what he did was to say I'm going to shut down the service, because he can't provide secure communications -- and can't tell people why," Rasch said. "And the government can't order him to continue to run the service. Of course, there's nothing to stop him from starting a brand-new service two days later, using the same technology, except this time with multiple keys that he doesn't hold."

Obviously, Levison's decision to shutter his business rather than give the FBI a copy of his crypto keys highlights the business and reputational pressure that Levison faced. Once the FBI had the digital certificate that was used to encrypt all Lavabit communications, it could have then intercepted any of its 400,000 subscribers' communications. "They could read more than emails, they could intercept usernames, passwords, credit card transactions that were going through my site, log-ins, as well as email and content. And [the FBI] told me in person that's what they wanted to do, they saw it as pursuing a criminal and they didn't really realize what rights they were treading on in order to do it," he told The New York Times last week.

"I said 'look, if I did this for you guys, it will destroy my business if anybody ever found out,'" Levison said. "They said nobody will ever find out, it's going to be kept secret. How well did that work out?"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mak63
50%
50%
mak63,
User Rank: Apprentice
10/13/2013 | 9:14:44 PM
re: GoDaddy Cancels Lavabit's Crypto Key
I applaud Lavabit (and GoDaddy to some extent) for the courage to stand up for what is right. Good luck on you're new enterprise.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27479
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users.
CVE-2021-27483
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user.
CVE-2021-27485
PUBLISHED: 2021-06-16
ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser.
CVE-2021-31159
PUBLISHED: 2021-06-16
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
CVE-2021-31857
PUBLISHED: 2021-06-16
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.