The internal key server auto updates your contacts public key, this only works if they're also a Lavaboom user, if your contact uses another service and changes public key then they'll need to give you the new key.
Man in the middle attacks are a risk, we'll be publishing some detailed info on this shortly.
The purpose of Lavaboom is to remove all the weak links in email security from the email provider. DIY encryption is inherently more secure, but we're hoping to get regular folks using encrypted emailing.
Re: the internal key server, what I'm really asking is how do I know that you (or someone who gained access to a server) didn't replace the public key for a user? (and thus I end up encrypting to the wrong key). This could happen on both sides of a conversation if the server is malicious.
Re: MITM are you thinking of supporting the use of e.g. a JS verification plugin like the mylar project made? It would be great to have a shared plugin for this gain traction rather than every product implementing its own browser extension. Users would still be trusting your JS, but at least not all the network infrastructure so much.
>> Lavaboom’s take on the RSA scandal?
> Since we do not have to use RSA to generate the keys, we don’t! SHA 512 is our jist.
Re: the faq above, I meant firstly that the "RSA scandal" and "RSA the algorithm" have basically nothing to do with one another so the answer is a non-sequitur. Secondly that since RSA and SHA 512 do different things, it's hard for me to understand how you replace one with the other without more information. User 616c above is asking the same question.
Man in the middle attacks are a risk, we'll be publishing some detailed info on this shortly.
The purpose of Lavaboom is to remove all the weak links in email security from the email provider. DIY encryption is inherently more secure, but we're hoping to get regular folks using encrypted emailing.
RE the RSA answer - how so?