I guess. Did the old lavabit use PFS? (Does anybody know anything about lavabit from before the shutdown? It seems like the number of people who know about lavabit has increased about 100x, but only post shutdown. Point being, if lavabit had been using 40-bit DES encryption before the shutdown, would anybody have noticed?)
And still, if it is a honeypot, PFS would solve nothing. We’re assuming the FBI has the new SSL key and is monitoring traffic, right? And the code has been altered to log every password? How will PFS save you from that? I guess there’s some logic to if it weren’t a honeypot, we’d expect PFS, so the absence is suspicious. But it’s hardly a smoking gun. The site could just as easily by a honeypot if it did use PFS.
The entire premise, though, is the FBI wants to read every lavabit users' email. I don’t believe that. They asked for the SSL keys to implement their own tap on the (unnamed) target after lavabit refused to do so. “you don’t want to help us, fine, we’ll do it ourselves.” Given the circumstances, that seems like a perfectly logical response. They tried the scalpel, that didn’t work, they came back with the chainsaw. Unless that was their master plan all along? Make a request they know lavabit will refuse in order to demand the SSL keys later? That smells like a Batman Gambit.
Interesting discussion: http://www.reddit.com/r/privacy/comments/1okv6c/fbinsa_have_set_up_a_honeypot_for_getting_lavabit/
“Interesting”? Today I learned that using SSL is the same as transmitting passwords in cleartext… :)
More so the lack of PFS in a situation like this struck me as odd.
I guess. Did the old lavabit use PFS? (Does anybody know anything about lavabit from before the shutdown? It seems like the number of people who know about lavabit has increased about 100x, but only post shutdown. Point being, if lavabit had been using 40-bit DES encryption before the shutdown, would anybody have noticed?)
And still, if it is a honeypot, PFS would solve nothing. We’re assuming the FBI has the new SSL key and is monitoring traffic, right? And the code has been altered to log every password? How will PFS save you from that? I guess there’s some logic to if it weren’t a honeypot, we’d expect PFS, so the absence is suspicious. But it’s hardly a smoking gun. The site could just as easily by a honeypot if it did use PFS.
The entire premise, though, is the FBI wants to read every lavabit users' email. I don’t believe that. They asked for the SSL keys to implement their own tap on the (unnamed) target after lavabit refused to do so. “you don’t want to help us, fine, we’ll do it ourselves.” Given the circumstances, that seems like a perfectly logical response. They tried the scalpel, that didn’t work, they came back with the chainsaw. Unless that was their master plan all along? Make a request they know lavabit will refuse in order to demand the SSL keys later? That smells like a Batman Gambit.