Lavabit was one of the very few secure email service providers bringing security for its paid customers by encrypting all locally stored email messages with an asymmetric key and AES-256.
This means that in order to decrypt the messages, an attacker would need to compromise the server first and then to know your password.
In order to make an email server secure there are several criteria to match:
1. Secure encrypted connections between the user and the email server – it must be encrypted with a strong algorithm and to have a validation process to avoid the risk of a man-in-the-middle attack.
2. Strong user passwords to withstand brute force or dictionary attacks
3. Secure encrypted email storage – this was the primary feature that Lavabit implemented.
4. Secure encrypted email sent over the Internet. It’s important to cipher messages with technologies like PGP, so once an email leaves the original server, it travels over the Internet to the final destination in encrypted form. Even if intercepted, it cannot be read or at least not easily so.
5. Secure end-points with no password storage in the browser and with the best defense technologies possible to protect against end-point malware attacks.
Nowadays most email servers support the first of the criteria listed above. The end user, i.e. us, may also accomplish criteria 2, 4 and 5. For criteria 3, in most cases, it is something which email providers either do not offer or they implement it poorly
With the closing of Lavabit, a secure email platform is no longer available to the masses.
The questions to all of you are, if an email service meets all five requirements will it sooner or later shut down or start collaborating with governments? And which equivalent or alternative service do you recommend or use?
