[liberationtech] Lavabit stored user passwords in plaintext?

Bernard Tyers b at runningwithbulls.com
Wed Aug 14 15:29:18 PDT 2013 

I came across this article outlining historical operation of Lavabit's services. 

http://highscalability.com/blog/2013/8/13/in-memoriam-lavabit-architecture-creating-a-scalable-email-s.html

It mentions in two separate places that they stored users passwords in plaintext to allow key generation and encryption to take place.

Extracts:
-----

Do you use any particularly cool technologies or algorithms?

The way we encrypt messages before storing them is relatively unique. We only know of one commercial service, and one commercial product that will secure user data using asymmetric encryption before writing it to disk. Basically we generate public and private keys for the user and  then encrypt the private key using a derivative of the plain text password. We then encrypt user messages using their public key before writing them to disk. (Alas, right now this is only available to paid users.)
….
For POP connections, the process is relatively simple. The user authenticates and requests a message. The daemon loads the message, checks the hash to make sure the date hasn’t been corrupted, decompresses the data, and then decrypts it (if applicable) before sending it along to the client.

Because we need the plain text password to decrypt a user’s private key, we don’t support secure password authentication. We decided to support SSL instead (which encrypts everything; not just the password). We handle the SSL encryption at the application tier rather than on the load balancer because we feel the application tier is easier to scale.

------

For those more knowledgable about crytpo than me: if they store user passwords in plaintext, instead securing transmission by SSL, if SSL is broken, then the users are exploitable?

Is that something that can be done unbeknownst to the user/operator of the service?


Thanks,
Bernard
--------------------------------------
Bernard Tyers | London | E1

W: runningwithbulls.com/blog/ | flickr.com/photos/runningwithbulls | E: b at runningwithbulls.com | T: +353 76 602 1877

"To see what is in front of one's nose requires a constant struggle." - George Orwell

More information about the liberationtech mailing list