Lavabit’s data recovery is slated to begin on Friday, October 18.
Before Lavabit data becomes publicly available again, users will have 72 hours to change their passwords at the rebelliously named https://liberty.lavabit.com. Lavabit says it is offering a brief password reset window to ease concerns that user login data may have been compromised.
“If users are indeed concerned that their account information has been compromised, this will allow them to change their account password on a website with a newly secured SSL key,” Lavabit said in a statement.
The new SSL key for the data retrieval period is of particularly crucial note. In early August, a court compelled Lavabit founder Ladar Levison to hand over the company’s SSL keys, according to a recent report in The New Yorker. Levison originally resisted this request, believing that handing over Lavabit’s SSL keys would open up a “profound exploitation of his service’s communications,” the report said. Soon after surrendering the SSL keys Levison shut down Lavabit.
SSL is the standard encryption method that secures communications between a Website and personal devices such as PCs, smartphones, and tablets. Presumably, Lavabit’s new SSL encryption is not in the hands of the government—at least not yet.
Doing due diligence
Attempting to be as transparent as possible, Lavabit has published its new SSL certificate fingerprint and serial number on the password change page. The company encourages Lavabit users to manually verify the new SSL fingerprint before using the site. There are many online tools that can show you a site’s SSL fingerprint, such as GRC.com’s Fingerprints Web app, or you can do it yourself.
To manually verify both the serial number and the fingerprint in Chrome, click on the padlock icon in the left corner of browser’s address bar. In the drop down window that appears click on the “Connection” tab.
Next, click on the “Certificate information” link and then click the “Details” tab.
The serial number will be one of the first entries you see. For the fingerprint scroll down to the bottom of the “Details” pane until you find the “thumbprint” entry. You can then match the Chrome thumbprint to the fingerprint printed on the Webpage.
All this will verify, however, is that the site’s security certificate is authentic. It does not guarantee who is in control of the site.
There is also some concern that SSL encryption has been rendered useless. A report in The New York Times in September suggested that the National Security Agency has a backdoor into SSL. Whether that’s true or not is still up for debate, but it’s certainly worth noting for the truly parano… er, security conscious.