Silent Circle and Lavabit launch “DarkMail Alliance” to thwart e-mail spying

Well, you are assuming way to much here. I fully understand how secure a private key is when someone uses PGP correctly. In fact I have made it my personal business to understand how PGP works at a very deep level and have been using it since Zimmerman "accidentally" caused its release to the internet. However you cannot get around the fact that you are in possession of an individuals private key. On a straight security assessment that is a completely unacceptable practice and always will be. You may not be able to break it at your level, but if you are forced to turn your encrypted database over to the Government that is an entirely different story (IE Lavabit). I stand behind my position that any service that requires an individuals PGP secret key should be strictly avoided. You say that no organization has been able to decrypt your users private keys? How does the user know that? They don't. The only way to be sure is for you to never have a given individuals private key in the first place. I am incredibly strongly opinionated on this topic. If I come off too pushy I apologize in advance. I will defend the sheer stupidity of any individual trusting his/her private key to ANY company until the end of time. No one gets my private key, period, even for the briefest moment. An air-gaped machine running PGP, albeit possibly extreme, with no network connectivity is one of the few ways to be certain your private key is safe. We are in a day and age that companies cannot be trusted. Counter-mails word is honestly not good enough. This is very very hard for you to defend on a straight security analysis. Any question refer to Bruce Schneier's blog.

The only area I could give ground on is if it were possible for Counter-mail to do what it does with a person's public key only. Truth, I haven't studied your service in depth enough to make that determination.

 

Yes, thats the myth

The only time it's a security risk, is:
1. If the password is sent to the server at any time
2. If the password is bad.

As I wrote before:
"So far, no organization has been able to decrypt any of our private keys."
I'm not talking about some hacker community, im talking about goverment organization. I think you should check the math: what kind of cluster it requires to crack a private key with iteration code 192, protected by a good password (non dictionary pw):
https://support.countermail.com/kb/faq.php?id=61

I personally prefer mathematical proof that is backed up with practical attacks, instead of old myths.

Again, if someone is paranoid we also have solutions for those people, just send us the self generated public key. We have solutions for every type of user.

 

You sound ineducable. The myth you are referring to cannot be proven or quantified in any way. Despite Snowden releases you have no clue how strong the adversary actually is. You sir have a business model to protect. You are clearly unwilling to address valid points because your company has too much to lose to adopt a real security paradigm that does not include your being in possession of a users private key. You made my point. Trust the math. If you don't possess my secret key I trust the math that you can't do anything with the secret key you don't have. This type of head wagering to protect ones own business model does not serve the public. Do you want me to start quoting PGP design specifications? I consider your support of users freely giving out their secret key paramount to sacrilege. You have a chance to salvage this. I consider your points to be massively security flawed and in the wake of Snowden, Lavabit and Silent Circle and am willing to go to the mat long and hard to prove my points if necessary. I don't think you want that as a company. Stop defending your security model and show me specifically a way I can use your service and maintain 100 percent possession of my secret key at all times. I am taking this to an elevated level because I have been analyzing your company to the exclusion of many others. The fact that I am addressing this gives you an opening to show to extremists who value privacy above all else how your company differs from organizations like Hushmail (I am sure you know the past). You have potential, I admit that. I need you to specifically address my point. Assuming you can show this to my satisfaction I will be forced to concur that Counter-mail is usable for someone with my risk profile and will perhaps make recommendations to clients I work with. However, I take great argument with Counter-mail being in possession of a less sophisticated PGP users secret key.

 

I really feel like you have misunderstood the service Countermail is providing.

Putting aside the point Countermail makes, that the private key is not sufficient in and of itself (without the password) to decrypt peoples' email, it seems to me that Countermail provides two different things.

1) A webmail system that employs PGP encryption. This is a system that can be easily used, by non-technical customers, but which like all such systems requires a certain element of trust. You may think that such a system is deeply flawed, but it seems good enough for a lot of users who just want some privacy.

2) A email provider that uses PGP encryption, but works with stand alone email clients. This system allows users to generate their own private key and guard it in whatever way they see fit, but probably will only appeal to more technical users. This system is also preferable for anyone who needs the highest security and privacy in an email service.

I just don't think there is anything wrong with 1. It's way better than Gmail, etc., and pretty much every other email service I've come across, even other privacy oriented systems (because of the other lengths the Countermail system goes to, to ensure security and privacy).

In addition, if you actually spend some time reading the Countermail website and their FAQ, they are very thorough in explaining how the system works and how you can create your own private key if you want to. You can even use two factor authentication with a YubiKey. Honestly, Countermail is doing far more of an educational service to people by explaining how to create their own private key and providing a system that will employ this, than ranting at them in this thread.

*

That's not actually math. But anyway.

*

I understand that you have a principled position about private keys. But it's a messy world out there and Countermail has gone to great lengths to make a pretty good system that provides different options for people to have security and privacy at different levels. Yes some trust is required, more or less depending on how you use Countermail. But 99.99% of people are using Gmail and the like and placing trust in systems that we know are already compromised. Not everyone is going to become a security expert, learn how to use PGP on their own, and use it. It's just not realisitic. Countermail's webmail service is a good option for a lot of people, with a very high level of security and privacy and low bar of entry to non-technical people.

In addition, people who truly are worried about absolute security, probably shouldn't be using email at all. So the argument becomes kind of academic. On top of that, you can draw a line in the sand about where private keys are stored, but you're still trusting that all the software you use to employ PGP on your own system, your email client, you operating system, etc., actually does what it claims it does (unless you've verified every line of code and piece of hardware yourself). For all the reasons already discussed above in this thread and do not bear repeating, even with PGP you're still trusting all kinds of people and systems, who you don't know, to provide you security and privacy. So making a federal case about one particular line in the sand, around private keys, is ultimately kind of arbitrary.

 

Actually, it's you that sound ineducable. And It seems like you don't read what I write I can quote myself again:

"Again, if someone is paranoid we also have solutions for those people, just send us the self generated public key. We have solutions for every type of user."

You don't NEED to use our keypair. I don't know If I can explain that any better. We only need your public key, if you want it that way.
When the user has sent us the new public key, we will delete the keypair that was originally created.

So we have nothing to protect since we already have a solution for every type of user.

The fact remains, even if you seem to ignore this, to use a private key, you need the password, and the password is never sent to our server. If you don't believe me, that's another problem, it's a trust problem not a math problem. I just wrote about the trust issue earlier:
https://www.wilderssecurity.com/showpost.php?p=2306093&postcount=51

 

Just to clarify the full features offered by CM:
Assume i am a gmail user, with PGP, who communicates only with other gmail/Yahoo users who also have and use PGP.

What security benefits are provided by CM over the above setup?
I think:
-USB key authentication
-IP addresses not logged.

Anything else?

 

I will close this with the line in the sand metaphor of where the PGP secret key is kept is critical to security of the individual user. This is principle! An extremely critical principle. If a federal case is necessary to get these types of points out then so be it. I understand that Counter-mail has gone to great lengths to provide a better security solution then G-mail or Yahoo or any of the other big ones. They are to be congratulated for that. However, Counter-mail should clearly disclaim that it is engaging in a model by utilizing a persons secret key that is contradictory to the best recommended practices of PGP.

 

It's good that you mention Hushmail, because Hushmail "betrayal" in 2007 was the first reason that we started Countermail, I also mention that fact in this interview:
http://www.unfinishedman.com/interview-simon-persson-founder-countermail-secure-email-provider/

We are a small company that values ​​our users privacy higher than any other provider (afaik), we would never do anything like that. And I have several court order that proves that. We have never revealed:
-passwords - because we can't, they are never sent to our server
-unencrypted email bodies - we can't, everything is encrypted
-unencrypted attachments - we can't, everything is encrypted
-unencrypted private keys (secret keys) - they are never sent to our server in unencrypted format
-IP addresses - we dont log them

Regards,
Simon Persson, CEO

 

-We are under Swedish jurisdiction and swedish laws, Sweden still have better privacy laws than many other countries
-Incoming email will be encrypted to your public key, which means no emails will be stored as plaintext on our server, only in encrypted format
-Our webmail server do not have any hard drives, only CD-ROM, which means no “leakage” to any hard drive is possible
-Our customers never have any direct connection to our mailserver, regardless how they connect to their account, IMAP/SMTP/webmail always connects to a diskless server (tunnel)
-We have an additional encryption layer to protect against man-in-the-middle attacks

 

Again, we have never access to the unencrypted version of private key, not at any time, every keypair is generated in the Java applet, that is run locally on the users computer. Before we receive the private key, its was already encrypted, locally inside the applet.

Again, we have solutions for paranoid users also. They don't need to use our keypair, they can use their own, then the private key is never on our server, not at any moment.

 

With the violations we have all witnessed in this society I will concur it is a trust problem. There is absolutely no way that I would ever trust my personal secret key out of my possession much less enter my pass-phrase into any web-portal. That being said, I will read the link you posted on trust.

 

I guess I just don't see it as such an absolute. Different people have different needs. Countermail's webmail service does about as good a job as you can do with a system like that. For some people that's good enough. If you don't want to use such a system, that's perfectly understandable and fine. But it doesn't mean what's good for you is what's best for everyone else. People are balancing need, convenience, and trust. The answer is not the same for everyone.

And fortunately, even if you want to generate your own private key Countermail not only offers that option, they explain to people how to do it in their website. So I don't really see Countermail as standing in the way of "get[ting] these types of points out," as you say. Frankly, I think Countermail is doing far more than critical posts such as yours to educate people about encryption with email, through their service and the information on their website, and their consistent patient presence in forums like this. I certainly learned a lot from their website when I first came upon it.

I think Countermail is very straightforward about what it is, what it does, and how it works, providing a wealth of technical information and explanations. I don't see them pretending their service is anything other than it is. If you don't like their service that's fine. But that doesn't mean there's anything wrong with it for other people with other needs.

*

The thing is, if you look at not just Countermail's post in the thread they link to, but that whole thread, there was already a long debate about the inevitability of the problem of trust. Using PGP the way you advise does not get you out of this problem. You are still using all sorts of systems (such as PGP) itself, for which you have to trust people you don't know who created them. That's why I think the private key line in the sand is relatively arbitary. It's a prefectly reasonable principle, but it is far from eliminating the problem of trust. But I won't repeat myself, I already said at length what I think about this in the other thread. And Countermail makes the point very well also in the post they link to (execpt that they misunderstood at the time that I was already saying the same thing in that thread ).

 

@Countermail

One question this discussion has raised for me. If one generates their own key pair, to use with Countermail and only sends Countermail the public key, does that mean one can no longer use the webmail system? Only separate stand alone email clients would work? Thanks.

 

If you are trying to login to a account with a deleted private, it will ask for it through a file browser window. But the private key will never be sent to our server, it will only be used locally inside the local Java Applet. You can of course also use your own PGP application instead of out webmail.

A user that deletes the private key take all responsibility for keeping it safe, and to store a backup in a safe place. If you lose the private key, you also lose your account, since you then can't verify to us that you are the original owner.

 

People are balancing need, convenience, and trust. The answer is not the same for everyone.

You are right. The answer is not the same for everyone. The reason I strongly object to this approach is the practices diminishes the strength of PGP by an inappropriate less secure use for first time users who hardly have the skill, knowledge or even desire to know better.

And fortunately, even if you want to generate your own private key Countermail not only offers that option, they explain to people how to do it in their website. So I don't really see Countermail as standing in the way of "get[ting] these types of points out," as you say. Frankly, I think Countermail is doing far more than critical posts such as yours to educate people about encryption with email, through their service and the information on their website, and their consistent patient presence in forums like this. I certainly learned a lot from their website when I first came upon it.

I can concur that I am reasonably impressed with how Counter-mail implements security. I am probably going to try out their 7 day test account in order to see if I can accomplish my goals. I also agree with you on one thing. I am a PGP purist. PGP is hard to use in my opinion out of necessity. However, that fact is the reason PGP has not proliferated and become the norm. Dark-mail is an initiative that has the potential to take care of that.

I think Countermail is very straightforward about what it is, what it does, and how it works, providing a wealth of technical information and explanations. I don't see them pretending their service is anything other than it is. If you don't like their service that's fine. But that doesn't mean there's anything wrong with it for other people with other needs.

Well the baby out with the bathwater comment, if you don't like it don't use it doesn't quite hold with my above statements. I am a bit of an activist. I am an exceptionally strong supporter both personally and on the activist level of PGP. When I see a company using PGP in a fashion that in my opinion weakens PGP as I have explained regarding the storage of secret keys I glow red.

The thing is, if you look at not just Counter-mail's post in the thread they link to, but that whole thread, there was already a long debate about the inevitability of the problem of trust. Using PGP the way you advise does not get you out of this problem. You are still using all sorts of systems (such as PGP) itself, for which you have to trust people you don't know who created them. That's why I think the private key line in the sand is relatively arbitary. It's a prefectly reasonable principle, but it is far from eliminating the problem of trust. But I won't repeat myself, I already said at length what I think about this in the other thread. And Countermail makes the point very well also in the post they link to (execpt that they misunderstood at the time that I was already saying the same thing in that thread

Well, yes, it is an arbitrary approach set aside by the creater of PGP, one Phil Zimmerman. I don't trust any company regardless who it is (my arguments are against the practice not Counter-mail specifically). Using PGP as I advise removes the email provider from the equation. One significantly and extremely important step. I should ad to this that we are but cementers on Wilders. I don't think you caught my sarcasm when I mentioned Zimmerman. People like Phil Zimmerman and Bruce Schneier wind up setting standards for the industry and then companies like Counter-mail come along with single-highhanded approaches and decide that for the business of making money is more important then maintaining the credibility of an extremely important encryption protocol. Sorry, I not only don't buy it, I actively rail against it.

 

Obviously you don't read what I write:
1. You don't need to use our keypair
2. You don't need to trust our software, you can place your trust in other software like GPG/Enigmail, no matter what you use, you have to place your trust somewhere.

If you think we are doing this only for making money, you are so wrong, We started Countermail because there was no other alternative available.

You don't know all people behind the company, you don't know what we have done to protect our users, we have spent a lot of time and money to build up our security and company. We spend a decent sum of money every year to pay a lawyer just to keep us up to date with all laws. We would never save any password, if we did that, we can say good bye to our company, even this you don't seem to understand. You are so mistaken about the people behind the company, especially when you think we are only doing this for money. One of our investors don't care about the money at all, he only want a easy and safe way to communicate securely.

You don't seem to understand the difference between a trust-problem and a math-problem, our users private keys are very well protected, so far, no government has been able to decrypt a private key, that's one of the mathematical proofs we have.

Your trust problem is something else, I hope you have audited every single byte in the source code for the PGP-application you are using, and that you have audited every single byte in the source code for the operating system you are using...otherwise, you might be busted

Another thing, we could never run our company from within the US, because they could force us to store password or the unencrypted private keys, if we had our jurisdiction in the US, I would totally agree with pcdoctor36:s points. But Sweden is not US.

The key to be able do what we do, is having the jurisdiction in the "correct" country.

 

We are following the OpenPGP spec:
https://tools.ietf.org/html/rfc4880#section-3.7.2.1
As we mention in our FAQ:
https://support.countermail.com/kb/faq.php?id=61

We would never do that, because it's not true, ok, for some other providers it could be true, but not in our case. In fact, it could be more secure to store the encrypted private key outside your own home/computer, if a thief steals your computer, your private key could get compromised. But if the private key is not stored on the computer, the thief would not gain anything.

Quote from OpenPGP spec: https://tools.ietf.org/html/rfc4880#section-14

As you can see, it's up to the user to decide how he/she wants to store the private key.

 

Yes, and I have acknowledged that your system allows the sophisticated user to determine how he/she is going to store their secret key. Sure any disaster can happen. If the disaster happens to me then I am to blame. If the disaster happens to you then I sue. I would rather be responsible for my own fate.

You state:

We would never do that, because it's not true, ok, for some other providers it could be true, but not in our case.

Let's look at what you just said in detail. Some of the best minds in the world determined the PGP standard. Yet, your company all by itself has determined that those practices do not apply to you because you encrypt the noobs secret key. You are not an independent. You have a product to back, protect and support despite your attestations to the contrary. That is an immutable and unarguable truth. I have no problem with a company trying to improve email. What I do have a severe problem with is Counter-mail, now a fairly large and respectable presence, has arrogantly tossed the private key storage standards out the window because you feel that your application supersedes the wisdom of some of the best cryptographic advice on the planet. What is true for one provider applies to another provider. We live in a global community. When one company makes this type of adoption we all suffer. Geographic placement of a given service is critical we both agree on that. You freely admit that your business model would not work in the United States and if Counter-mail resided in the United States would probably side with my point. Have you ever considered how your dilution of the private key storage procedure affects everyone else? Or do you consider your business model so important that other email services in different geographic areas around the world should suffer from what I view as irresponsibility. Please don't restate what you have already dead panned twenty times.

 

Most PGP implementations encrypts the private key, following the spec using a S2K packet that determines the encryption. Read the PGP spec.

We can not take responsibility for others, and how they do. As long as we do it in a safe way, I'm happy. You should not blame us for anything, blame those who don't follow the spec, or those who betrays their users. We follow the PGP spec in every way.

Did you read the part I quoted from the PGP-spec:?
https://tools.ietf.org/html/rfc4880#section-14

How do you think companies using PGP as Enterprise solution do? Of course they store an encrypted private key on their server. Have you never heard about PGP enterprise solutions??

In some cases it's even worse to store the key locally, a noob may store his private key on his computer Desktop using private key password "12345678", but you still think this method is better?

It's totally wrong to say that the encrypted private key must be stored only on the client side. I'm amazed that you can't see the "pros and cons".

Please don't restate what you have already dead panned twenty times.

 

Succinctly put, I am a supporter of PGP to the exclusion of any email provider. You are too colored by your own business model to see the damage you are causing. When you say you are amazed that I cannot see the pro's and con's of private key storage what your real argument is you are amazed that I cannot see the profitability of Counter-mail simplifying the PGP key generation process (which admittedly is hard). The intelligent solution would be to force all customers to generate their own key pair and then upload their public key too you, not just the customers who are sophisticated enough to realize there is an issue. I had hoped for greater wisdom but so be it. My real point despite our joint rantings back and forth was to get an argument such as this immortalized on Wilders Security Forums so perhaps other noobs can read this and make an intelligent choice.

 

I was informed that you are a troll, so my discussion with you ends here, I should have seen it myself since you constantly was avoiding all my PGP-references and all questions to you.

However it was good to get a discussion about the private keys, so the myth about the "hazard" of the private keys get a better explanation.

 

I understand conceptually your PGP purest position. But I think, practically speaking, your position does not take into account how the world actually works. If we are all to adhere to only using the PGP private key in the way you suggest, very few, only technical people, will use it, and the first time users you mention will not be magically educated into proper security protocol, they will instead just stick with Gmail. People just can't be bothered. Even getting people to pay a little money and sign up for something like Countermail is an insurmountable hurdle for most people. Heck, in the days of Lavabit you could get an encrypted account for $8/year and it still was not exactly threatening the likes of Gmail, etc.

So I think your approach virtually guarantees the irrelevance of PGP for the mainstream. The world is just a much messier place, full of a lot more compromise, than the idealized one, to which you appeal. In contrast, Countermail has provided a practical solution for non-technical users. Countermail is actually doing something to broaden the potential use of secure and private email. And yet you keep attacking them, for the sake of a quixotic endeavor that has no hope of ever making a difference for anyone, other than technical users who already know how to use PGP themselves and don't need your help.

In the mean time, there are so many other vulnerabilties in whatever system you use, as has been said. Your PGP client, your operating system, your hardware, the PGP code itself. They all could be critiqued in the same way you are critiquing Countermail. There is a myriad of unknown individuals out there, in whom you have blanketly palced your trust, who created these systems. Yet somehow Countermail is the singular critical trust vulnerability, despite their considerable efforts to establish trust. It seems, as I've said, that you have chosen an arbitrary line in the sand and it doesn't have much to do with what makes sense either in terms of security or in terms of trust--that is, in the real world of practical choices where everyone makes compromises, whether they recognize them or not, including yourself.

I have my doubts that the PGP activist community you speak of exists much beyond yourself. PGP is a tool people use. I do not often see those users conceive of themselves as a community, let alone an activist community. On the other hand, there are a lot of highly knowledgeable users in this forum who are perfectly fine with Countermail and even use it. I don't see anyone else objecting to the mere fact that their webmail system exists at all on the grounds of how Countermail deploys the private key. And I really disagree that Countermail is damaging PGP in any way through their system. Instead, they have gone to great lengths to make it usable to a broader array of people (and have been very honest about how they have done this, as well as providing a way for more technical users to opt out of that part of their system). Your private key complaint just seems like a made up reason to critique Countermail. Or rather, you are taking your own personal preferences (which are fine) and treating them as if they represent the public good, which really is up to others to decide for themselves.

In the end, PGP is open source code, it's meant to be used by the community in different ways for different purposes. Countermail's system is very much in the spirit of this. And lots of people support them. So I imagine what Countermail "can't stand" is being subject to a unrelenting attack in a public forum, based on one individual's principles blown up to the proportions of an offense to the public in general. It's a pretty volatile accusation.

 

Thanks for the explanation.

 

Obviously, by my tone I was finished. It is nice to get a one liner in that attempts to dismiss someone with a valid point isn't it? I got your PGP references. I chose to ignore them as it was never the intention of Phil Zimmerman, MIT or PGP corp for anyone other then the owner of the key pair to be in possession of the secret key. The key is as the CEO of Counter-mail you cannot under any circumstances back down to an argument that would defy your business model. I am comfortable leaving it at this point. We have both expressed our views rather pointedly. Let the user decide.