Lavaboom builds encrypted webmail service to resist snooping

The service has started accepting registrations for its upcoming beta testing period

A new webmail service called Lavaboom promises to provide easy-to-use email encryption without ever learning its users' private encryption keys or message contents.

Lavaboom, based in Germany and founded by Felix Müller-Irion, is named after Lavabit, the now defunct encrypted email provider believed to have been used by former NSA contractor Edward Snowden. Lavabit decided to shut down its operations in August in response to a U.S. government request for its SSL private key that would have allowed the government to decrypt all user emails.

Lavaboom designed its system for end-to-end encryption, meaning that only users will be in possession of the secret keys needed to decrypt the messages they receive from others. The service will only act as a carrier for already encrypted emails.

Lavaboom calls this feature "zero-knowledge privacy" and implemented it in a way that allows emails to be encrypted and decrypted locally using JavaScript code inside users' browsers instead of its own servers.

The goal of this implementation is to protect against upstream interception of email traffic as it travels over the Internet and to prevent Lavaboom to produce plaintext emails or encryption keys if the government requests them. While this would protect against some passive data collection efforts by intelligence agencies like the NSA, it probably won't protect against other attack techniques and exploits that such agencies have at their disposal to obtain data from computers and browsers after it was decrypted.

Security researchers have yet to weigh in on the strength of Lavaboom's implementation. The service said on its website that it considers making parts of the code open source and that it has a small budget for security audits if any researchers are interested.

Those interested in trying out the service can request to be included in its beta testing period, scheduled to start in about two weeks.

Free Lavaboom accounts will come with 250MB of storage space and will use two-way authentication based on the public-private keypair and a password. A premium subscription will cost €8 (around US$11) per month and will provide users with 1GB of storage space and a three-factor authentication option.

"In addition to your key-pair and password we can either send you a randomly generated code or you can use the OTP-feature of a YubiKey. Or even both. We strongly recommend using YubiKey," Lavaboom said on its website.

The service uses the popular OpenPGP email encryption standard that's based on public-key cryptography. Each user will have a public and a private key that will form a keypair. The public key will be advertised publicly and will be used by other users to encrypt messages sent to the key owner and the key owner will then use his private key to decrypt those messages.

"Key handling is a very sensitive issue," Lavaboom said in a technical FAQ section on its website. "We let you download your keypair during registration. This is to ensure that your key remains in your possession."

Lavaboom's JavaScript code and the user's private key is stored in the browser's cache, which leads to some limitations. For one, this ties the key to a particular browser and makes accessing the account possible only from the device where that browser is installed.

"Never clear your cache from Lavaboom," the email service provider warns on its website. "We do not offer password recovery, since we can't! Once you flush your private key, all your data stays encrypted until you somehow rediscover your private key. We will not provide you with any refunds if you lose your private key."

Because of this implementation, the service is also incompatible with tools like the NoScript security extension for Mozilla Firefox that blocks JavaScript code.

Lavaboom claims that it doesn't know the exact locations of its servers and doesn't have physical access to them, making it more difficult to respond to government requests for data.

"If we should become scrutinized by law enforcement we rely on a severe public outcry, since we are under jurisdiction of the German law and the best privacy laws in the world," the email service provider says on its website. "If we should ever be forced by the BSI or the BND [Germany's information security and foreign intelligence agencies] to give up all our data, rest assured that we do have something in place that will destroy our hard disks in a matter of minutes and turn them into little more than coasters."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityprivacyinternetdata protectionencryptionMailInternet-based applications and servicesLavabitLavaboom

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?