[liberationtech] Lavabit stored user passwords in plaintext?

[Bernard Tyers - ei8fdb]

On 15 Aug 2013, at 00:01, Tom Ritter <tom at ritter.vg> wrote:

> On 14 August 2013 18:29, Bernard Tyers <b at runningwithbulls.com> wrote:
>> I came across this article outlining historical operation of Lavabit's services.
>> 
>> http://highscalability.com/blog/2013/8/13/in-memoriam-lavabit-architecture-creating-a-scalable-email-s.html
>> 
>> It mentions in two separate places that they stored users passwords in plaintext to allow key generation and encryption to take place.
> 
> No, it said in two places it SAW the plaintext password of the user.
> Not that they stored it.

Hi Tom,

Yes, you're right. My mistake. But is my second question not still valid? If SSL was compromised would the user not then be compromised?

Is:

"…we generate public and private keys for the user and then encrypt the private key using a derivative of the plain text password. 

the other side of:

"…we need the plain text password to decrypt a user’s private key…"?

This is where they saw the cleartext password, and held it in memory for that time period?

Does this give some indication as to what the government agency (whichever it was) were making Lavabit implement to allow it to surveil Lavabit users? 

thanks,
Bernard


--------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org