14 DAY TRIAL // After spending 20 months in closed development, Lavaboom, the email service that promises end-to-end encryption, started to send out sign-up invitations to 25,000 users on the waiting list.
Lavaboom aims to deliver completely private email communication that makes secret not only message content but also the metadata accompanying it, such as the address of the sender and the recipient and the subject line.
Lavaboom is powered by new technology
To achieve this, the service relies on OpenPGP.js, the open source PGP (Pretty Good Privacy) library for JavaScript, and DIME (Dark Internet Mail Environment) technology that uses new message exchange protocols DMTP (the Dark Mail Transfer Protocol) and DMAP (Dark Mail Access Protocol) for encryption.
DIME is developed by the Darkmail Technical Alliance, whose team is composed of Phil Zimmerman (the designer of PGP), Jon Callas from Silent Circle and Mike Janke, both from Silent Circle, and Ladar Levison, the founder of the now defunct Lavabit secure email service that refused to provide the SSL encryption keys to the NSA.
Lavaboom follows in the footsteps of Lavabit as far as the security of email exchange is concerned, but has a much stronger risk management approach. Its data centers are on German territory, where authorities in the US have no jurisdiction.
Email content protected with strong encryption
Furthermore, to ensure full privacy, Lavaboom uses client-side encryption, which means that the traffic is encrypted on the user’s computer and travels securely to its end destination, where it is decrypted.
OpenPGP works by the principles of public-key cryptography, where a public key encrypts the message and a private one unlocks it. The public keys are exchanged between the two parties, while the private ones have to remain secret.
This technology is not easy to manage by non-technical persons, but Lavaboom managed to make it accessible to everyone, without having to learn the details.
“Though it is possible to make email more secure, as a rule email encryption is highly expensive or too difficult for the average person to use. That’s what Lavaboom is trying to fix. As a direct result of the Snowden revelations in 2013 we began work on an email provider that non-technical people could use without noticing a difference to an insecure but highly user friendly email provider. Lavaboom is an email provider built for privacy, we’re going to help people send letters, not postcards,” said Felix Müller-Irion, CEO of Lavaboom.
The sign-up process is quick
We were provided early access to the mail platform and were able to sign up in about one minute, including the generation of the key pair, backing it up and taking snapshots of the procedure. However, a non-technical user may be spending about two minutes to go through the seven-step process and read the explanations at each step.
The keys are saved locally, in the browser cache, which means that content cannot be viewed when accessing the account from a different web browser or if the cache has been cleared. In this case, importing the key pair is necessary.
For those who do not want to store the private and public keys on a device, Lavaboom offers the possibility to save them on its servers.
Email service is no longer the weak link
The service provides encryption both at rest and in transit, but a threat actor can still access the content, if they manage to steal the keys from the device that stores them.
Although Lavaboom is designed to harden privacy, it does not claim full protection against governmental spying agencies. “Lavaboom is suitable for combatting dragnet surveillance, corporate profiling and pesky hackers. Our security is better than Gmail, but you should not put your life in the hands of any email provider,” read the technical details of the service.
