And how do you operate without RSA using PGP? I am confused. SHA-512 is for hashing, but not the encryption. The so-called "RSA debacle" does not stop you from using RSA as part of PGP, unless you are using the older (and maybe less useful; I am not a cryptograher) DSA options in PGP. Care to elaborate? Your jokes are cute, but that joke in particular scares me out of trying your service because it shows a biased or garbled technical story here.
Also, we appreciate the mention of the Pax kernel, but TrueCrypt on Linux. Can you go into more detail? I am intrigued why you would choose this over any other software-based full disk encryption system (LUKS+dm-crypt, for example).
Also, FDE of the email servers is nice, but as the sole owner of a bunch of accounts, you can still be compelled to hand that data over, and without hardware-based encryption (and people are more skeptical than ever about TPM chips due to recent news in play), I am not sure it helps. The PGP is nice, but I think you are going to get a lot of snark and rightful skepticism on browser-based JS crypto, which is controversial. I did not say impossible, but many people, me included, do not think this is ready for primetime (some think it never will be, I am staying out of that flamewar).
Nice site, so-so copyright, but there is no silver bullet in this arena and I would prefer your "nerd info" gives better technical detail and a real, real warning about promises you cannot keep.
How do you handle the case where a MITM might be modifying the Javascript sent to a user? (Or the equivalent case where a CDN or server hands out bad JS)
Is there any transparency around the internal key server? How would I know if someone's key has been replaced?
> Since we do not have to use RSA to generate the keys, we don’t! SHA 512 is our jist.
I suspect this answer on the nerd-info page might need to be re-worked.
The internal key server auto updates your contacts public key, this only works if they're also a Lavaboom user, if your contact uses another service and changes public key then they'll need to give you the new key.
Man in the middle attacks are a risk, we'll be publishing some detailed info on this shortly.
The purpose of Lavaboom is to remove all the weak links in email security from the email provider. DIY encryption is inherently more secure, but we're hoping to get regular folks using encrypted emailing.
Re: the internal key server, what I'm really asking is how do I know that you (or someone who gained access to a server) didn't replace the public key for a user? (and thus I end up encrypting to the wrong key). This could happen on both sides of a conversation if the server is malicious.
Re: MITM are you thinking of supporting the use of e.g. a JS verification plugin like the mylar project made? It would be great to have a shared plugin for this gain traction rather than every product implementing its own browser extension. Users would still be trusting your JS, but at least not all the network infrastructure so much.
>> Lavaboom’s take on the RSA scandal?
> Since we do not have to use RSA to generate the keys, we don’t! SHA 512 is our jist.
Re: the faq above, I meant firstly that the "RSA scandal" and "RSA the algorithm" have basically nothing to do with one another so the answer is a non-sequitur. Secondly that since RSA and SHA 512 do different things, it's hard for me to understand how you replace one with the other without more information. User 616c above is asking the same question.
"Do we know the exact locations of our servers, and, if so, do we have physical access to our servers?"
"We do not know the exact locations of our servers.We do not have physical access to our servers."
"Rest assured that we do have something in place that will destroy our hard disks in a matter of minutes and turn them into little more than coasters."
Being able to send a message to your machines to say "delete everything and overwrite with lots of zeros" doesn't seem to be in conflict with not knowing exactly where the specific disks are in real life.
https://github.com/openpgpjs/openpgpjs
And how do you operate without RSA using PGP? I am confused. SHA-512 is for hashing, but not the encryption. The so-called "RSA debacle" does not stop you from using RSA as part of PGP, unless you are using the older (and maybe less useful; I am not a cryptograher) DSA options in PGP. Care to elaborate? Your jokes are cute, but that joke in particular scares me out of trying your service because it shows a biased or garbled technical story here.
Also, we appreciate the mention of the Pax kernel, but TrueCrypt on Linux. Can you go into more detail? I am intrigued why you would choose this over any other software-based full disk encryption system (LUKS+dm-crypt, for example).
Also, FDE of the email servers is nice, but as the sole owner of a bunch of accounts, you can still be compelled to hand that data over, and without hardware-based encryption (and people are more skeptical than ever about TPM chips due to recent news in play), I am not sure it helps. The PGP is nice, but I think you are going to get a lot of snark and rightful skepticism on browser-based JS crypto, which is controversial. I did not say impossible, but many people, me included, do not think this is ready for primetime (some think it never will be, I am staying out of that flamewar).
Nice site, so-so copyright, but there is no silver bullet in this arena and I would prefer your "nerd info" gives better technical detail and a real, real warning about promises you cannot keep.