November 6, 2013
Silent Circle and Lavabit’s “DarkMail Alliance”
In the age of PRISM revelations, finding a truly secure email service can be a challenge. The recent news about government surveillance often makes us worried about the privacy of our personal information on the Internet. The NSA leaks have made us aware that almost all of us store our email with a third party service, and it can be intercepted during data transmission. Apart from that, there is also the possibility of the emails being hacked, or scanned by advertisers. Keeping such user privacy concerns in the forefront, two secure email service providers, Lavabit and Silent Circle have joined hands to launch a secure email system called “Dark Mail Alliance”. Both Silent Circle and Lavabit had shut down their encrypted email services in August in a bid to resist surveillance.
The companies presented their ideas at the Inbox love conference last week, saying that they hope to “change the world of email completely by putting privacy and security at its core.” Dark Mail would shield both contents of the email and it’s “metadata,” including “to” and “from” data, IP addresses and headers. It will use XMPP, a web messaging protocol, along with another secure protocol created by Silent Circle called SCIMP instead of SMTP. Silent Circle CTO Jon Callas told that “it’s high time to boot the antiquated SMTP out the door: This is just another transport – what we’re getting rid of is SMTP. We like to laugh at it, but there are reasons why it was a good system. We’re replacing the transport with a new transport. E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends.”
The private key used for encrypting the emails will not be stored on the server of the service provider, rather will be held on the user’s system and can be populated across all his devices. The public key and addresses will be in the public server. The emails will be encrypted and stored in the user’s system before being sent to the cloud. As a result the user data would not be compromised even if the government forces an SSL key to be turned over, as all the messages are encrypted using the key that is sitting on the user’s system. Dark mail will be available as an add on or an option to existing email providers – Gmail can use it if Google choose to participate.
The alliance is also planning on implementing other security measures to provide a robust and secure email service to the users. One idea is to implement a protocol that will keep a static public key for a few hours or days and then refresh it. Old email messages need to be encrypted using the new key to provide better protection for sensitive data. Another security feature that is under consideration is “forward secrecy” that limits the amount of data that can be decrypted if the private key is compromised.
In comparison to existing forms of email encryption like PGP, Dark Mail will provide better security by encrypting the metadata along with the content of the email. PGP cannot encrypt the subject header, or metadata and the average user finds it very complicated to use. Dark mail plans to make its service extremely easy to use. “People using the technology will still be able to send emails to friends or colleagues using Gmail and Hotmail—but when sending messages to non-Dark Mail users, a warning will be displayed, making it clear that the communication could be intercepted”.
The source code of the software will be available in public for anyone to scrutinize or audit and the team is hoping more companies to join Dark Mail Alliance for better email security. The founder of Lavabit, Ladar Levison will soon launch a campaign to fundraise for the Dark Mail Alliance to open-source Lavabit’s code “with support for DarkMail built-in.” “The first 32 companies to donate $10,000 will get a pre-release 60 days before the public gets it so that those companies can integrate it into their systems first”.
The companies believe that in three or four years from now the Dark Mail service will be used by the majority of the Internet users. However companies like Microsoft and Google might be unwilling to adopt this technology, because use of such a technology would hinder the government’s surveillance attempt to monitor communications and track criminals. Silent Circle CEO Mike Janke says, “Surveillance has become “completely out of hand and he believes it’s time to readdress the balance between security and privacy”.
Secure cloud storage service that protects you data from surveillance
Similar to Silent Circle and Lavabit, SpiderOak is a secure cloud storage service that protects its user data from government surveillance. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, people can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and mobile access. SpiderOak offers amazing products likeSpiderOak Hive and SpiderOak Blue to secure consumer and enterprise data. You can signup for this product now