Lavabit NOW - your current experience

[OxfordComma]

Hello everyone,

I'm looking to leave the corporate monstrosity that is gmail behind. It's cavalier attitude towards privacy is too much for me, and I've come across Lavabit, which promises to make my emails unreadable, even to those at the company.

I've tried to understand the explanation of how they do this on their website, but in all honesty I'm a layman and I need it spelling out in layman's terms for me. Everything I've read in their explanations about my emails staying unreadable seems to rely on lavabit not knowing my password, but surely they have this on a server somewhere to check it when I log in? So here's the ultimate question: can lavabit, with their system designed as it now, decrypt my emails and read them? If not, why not?

But aside from this, what I'm really looking for is for your latest experience of using them. I'm thinking about paying for an account with them - in order to get the privacy they offer with the asynchronous feature - but I've read some extremely contradictory things about them in threads on this site.

Some say they're gods, some say their support is complete rubbish. More importantly these threads are old, so what I want to know is what's your recent experience of them? Given my motivations, is it a good idea me going for one of their paid accounts?

Anything you can offer will be appreciated.

Many thanks,

OC

[Berenburger]

Quote:

Originally Posted by OxfordComma

Some say they're gods, some say their support is complete rubbish. More importantly these threads are old, so what I want to know is what's your recent experience of them? Given my motivations, is it a good idea me going for one of their paid accounts?

No no, these threads are not old. The latest is from May 4th. It says support is still very bad.

[OxfordComma]

Yeah, I see that there are posts from within the last month. However, these are sparse and rare; most of the posts about Lavabit and its support seem to have been made up until the autumn of last year. In fact, at the beginning of last year there seem to be a lot of positive comments about the site from the very people who went on to complain about support later. So I'm left not really knowing what the service is like now. If anyone can help with information, please post here.

Thanks.

OC

[David]

Quote:

Originally Posted by OxfordComma

Yeah, I see that there are posts from within the last month. However, these are sparse and rare; most of the posts about Lavabit and its support seem to have been made up until the autumn of last year. In fact, at the beginning of last year there seem to be a lot of positive comments about the site from the very people who went on to complain about support later. So I'm left not really knowing what the service is like now. If anyone can help with information, please post here.

I have complained about the lack of response from support (before) and for that reason would not recommend paying Lavabit any money (even though the service seems to be reliable)

Lavabit is (for the most part) a one man show.

[OxfordComma]

Thanks for the response David. Everyone else, feel free to chip in...

[lgnki]

Ox,

I wanted to address a few things in your post.

1. In laymans terms, one possible method of preventing anyone but you from knowing your password is called hashing. When a password is hashed on a server, only the server knows how to read your password in the way it is stored. So while a password like "kitten" will look simple to you, it might look more like "hasu&3kw93alKd--(#klasdIDLKekd" in text format on the server, it would also look this way to anyone trying to read your password, such as company staff.

2. e-mail is inherently insecure, I am not sure how serious you are about your email security, but you may wish to check into an alternative communication method for sensitive materials, or at the very least, a company that specializes in secure email.

[OxfordComma]

Quote:

lgnki

1. In laymans terms, one possible method of preventing anyone but you from knowing your password is called hashing. When a password is hashed on a server, only the server knows how to read your password in the way it is stored. So while a password like "kitten" will look simple to you, it might look more like "hasu&3kw93alKd--(#klasdIDLKekd" in text format on the server, it would also look this way to anyone trying to read your password, such as company staff.

2. e-mail is inherently insecure, I am not sure how serious you are about your email security, but you may wish to check into an alternative communication method for sensitive materials, or at the very least, a company that specializes in secure email.

Ignki,

Thanks for the information. The hashing explanation is interesting. I wonder: you said only the server that hashes a password knows how to read it - if the server is owned by someone, such as Lavabit, won't they be able to read it since it's their server and they know how to use it? Sorry if I sound a bit simple here.

Re: email be inherently insecure. I'm not dealing in any precious documents or anything, so security isn't my main motivation. I am just extremely prickly about my privacy. I think it's disgusting that way it is being eroded in the modern world and when I came across Lavabit, which promises complete privacy of correspondence , I thought, 'Oooh, that'll be nice to know some corporate scum bags aren't reading my personal email correspondence'. But before diving in I'm doing my research, and trying to make sure I'm sure of what I'm getting.

The criticisms of Lavabit's support are obviously a massive concern, and so far are stopping me from signing up. But, if the privacy they offer is as concrete and reassuring as it sounds in their pitch, maybe I'll be persuaded in future.

[lgnki]

Oxford,

The simplest way to explain is that as soon as you tell the server your password, it converts it into a language that only it knows how to read. It is not readable by a human. Could the owners of the server see your "hashed" password? Yes. Would this make any sense to them or in any way lead them to gain knowledge of your actual password? No. This is also one of the reasons that many services can no longer send you your lost password, but instead you must reset it. I cannot guarantee you that this is how Lavabit works, but if they are at all serious about security, which it sounds like they are, this would be the standard that most professional services are run by.

[OxfordComma]

Thanks for the info.

[OxfordComma]

Can anyone recommend another email service that delivers on the privacy promises that Lavabit offers?

[ReuvenNY]

Quote:

Originally Posted by OxfordComma

Can anyone recommend another email service that delivers on the privacy promises that Lavabit offers?

Sorry to sound negative, but some may promise - not sure whether they would deliver more then the big three...
If you want to maintain privacy, stay away from email! Email is not considered private, as besides the providers there are many servers on the delivery trail that can snoop.

[William9]

Some email service providers have end-to-end encryption of messages. This type of service is secure, but the receiver must have the password.
See this link for an explanation http://luxsci.com/extranet/secline.html

[OxfordComma]

Quote:

William9
Some email service providers have end-to-end encryption of messages. This type of service is secure, but the receiver must have the password.
See this link for an explanation http://luxsci.com/extranet/secline.html

Thanks William. How do you think luxsci compares to lavabit in the privacy stakes? They seem to be very security conscious, but they don't say for certain that no-one can read my emails, so privacy isn't at the heart of their services. They seem to have different priorities. Not to mention how expensive they are!

OC

[William9]

Every day email is not secure regardless of which service provider you have.
Encrypted email is secure, but a password is necessary. Few service providers provide end-to-end encryption. There are some applications like PGP that allow one to send encrypted messages, however.

[lgnki]

Ox,

You may wish to check out http://www.safe-mail.net/

Their storage is terrible at the free level, but maybe an upgrade is worth it for you.