Seven Spanish activists were jailed in 2015 for their "possession of certain books...and the fact that the defendants used emails with extreme security measures, such as the RISE UP server" [1]. Do we know what became of that case?
I've implemented something similar, but am by no means an expert. Here's my take, experts please correct me!
Argon2 was the winner of a password hashing competition. An effective password hasher "stretches" the entropy of the password. In other words, it maps the space P of passwords to K of keys in such a way that guessing a key requires painful testing of every p. Since |P| << |K|, you need to make sure there aren't tricks whereby you can figure out subsets of K that are interesting and skip the expensive computation. You also need to make sure that hashing is expensive; that there are no shortcuts to blaze through all passwords. (Plus a myriad other concerns, including safely running the algorithm without outsiders being able to figure out the passwords based on timing and such)
So now you can take a password, make a key, and encrypt stuff. Guessing the key is hard because trying each password is expensive, and there are too many keys to check them all.
Libsodium is a crypto library that simplifies crypto down to "symmetric encryption" or "public key encryption" no mucking around with algorithm and parameter choices, constant time compares, etc.
So here your password is securely translated into a private key, whose public key pair they use to encrypt everything as it comes in. The middle step is necessary because argon2 stretches passwords into symmetric keys, but you want an assymetric key pair. So you generate a random key pair and encrypt the private key with your argon2 provided key
> 6. New mail is encrypted as it arrives using the Curve25519 public key.
a "going forward" request could start capturing the incoming mail. But yeah reading the how it works section I can not see why they couldn't be compelled to decrypt on next login.
Riseup do say:-
> To be absolutely clear, this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in. For full end-to-end email encryption, as before, you must use a client that supports OpenPGP (and is not web-based).
> We are working to roll out a more comprehensive end-to-end system in the coming year, but until that is ready, we are deploying personally encrypted storage in the mean time.
The secret box is stored on the server but the argon2 digest which protects it isn't, Looks like it created from the login password
> NOTE: the database MUST NOT store the argon2 digest, since this value is the secret key that unlocks locked_secretbox. This is very different than how password hashing for authentication works, where the digest and parameters are stored.
So they are storing the locked secretbox on the server which contains the key to decrypt so they can send you the decrypted messages after login. Encrypting the whole message means that the contents and the meta data is secure at rest. If BringYourOwnLawEnforcement came by and imaged the storage without the argon2 digest the messages are useless.
But if Riseup were pushed to so then during the users next login the digest could be stored (Breaking the "MUST NOT" rule) when created and then handed over to BringYourOwnLawEnforcement which could then then be used to decrypt the messages as received by dovecot.
Now if the contents of those messages where also encrypted with say PGP when BYOLE wouldn't be able to read the message (unless they could break a weak PGP key, had a copy of the PGP Private key too) but they would still get the metadata that comes along with the message. (Time, Date, Sender, etc, etc).
Maybe I misunderstood the meaning of one or more of the steps above. However it seems that if law enforcement wants to look at the messages of a user they only need to make Riseup decrypt for them every message at step 5. The only protection is not logging in because they need the cleartext password to start with.
People check their email often, so maybe this is why they are writing
> this type of encryption is not end-to-end message encryption. With Riseup’s new system, you still put faith in the server while you are logged in
The message should be "if you think you're under investigation, abandon your email and don't login anymore."
Another attack is with the received messages: I assume they are all cleartext and can be intercepted before they are encrypted at step 6, with or without the cooperation of Riseup. Messages in a conversation often integrally quote all the previous messages so there might even be no need to force Riseup decrypt anything at step 5.
As of today, there is no case where the government has pressed the issue about modifying systems. They thought they had the perfect case with San Bernadino/Apple, in fact they are trying to pick the best case in terms of players in order to establish precedent, but they backed down because all of silicon valley rose up in protest. If Riseup became a test case for this it would be a big deal, this would be a legal fight that would bring armies of lawyers who have been dying to litigate this exact scenario, and sillicon valley would also get behind such a case (as they did with Apple). But the government isn't likely to pick Riseup as the target for such a case, they want someone big like Apple.
In particular, what you are talking about is a Title III Wiretap (in transit) order with an additional element of technical assistance that requires significant re-architecture that would expose massive take, or enforced lying (endorse a false cert). This would put a huge burden on Riseup, and significantly undermine their operation. A Title III Wiretap order can only be done in very specific cases, it is much harder to obtain one of these than it is for a simple search warrant, or subponea. In fact its so difficult, that in 2015 Google received 15 wiretap orders in total and more thaan 8k search warrants. Not only that, but the government must show they can do data minimization and there is a notification requirement (unlike a search warrant) where they notify the target after 90 days. The tighter particularity requirements built into the statute make this a very good position for Riseup to be in.
Thanks. With respect, do you have expertise on this issue? It's just useful to know if we're hearing from an attorney who practices in this area or someone who happens to be well-read in it.
> there is no case where the government has pressed the issue about modifying systems
Do we know that, or would it be more accurate to say 'there is no case that we know of'? And we do have some reason to believe that the U.S. government has pressured large telcos to modify equipment; look up Qwest's story.
The message should be "if you think you're under investigation, abandon your email and don't login anymore."
How does that not translate into people who are concerned about investigations simply not using Riseup (at least, for email)?
It doesn't seem particularly likely that every member of a group of people will find out about the investigation before any damage is done and then also follow through abandoning their accounts with perfect discipline.
If your going to make Riseup decrypt every message on login, might as well have them mirror the email and encrypt with an LE password (They can still claim every stored email is encrypted) for any future incoming mail.
They won't get access to past mail until the user next logs in but would least get access to any future mail the account receives and you are not in control of any email being received.
It is intended for activists, but I have never felt comfortable recommending it to my activist friends. I trust the people who run it not to give up data easily, but I don't trust their tech to be at all resistant to a state level actor, which is primarily who activists need to fear.
I'm not convinced this change alters that assessment, as the implementation seems questionable (the secret exchange seems to be on the wrong side of the connection). But maybe I just misunderstand it.
The secret exchange is certainly on the wrong side of the connection, but it's either that or change the way email clients work. We are living in an IMAP4 world and if you choose to "trust the server", as they state it, this seems like a reasonable solution.
I would be very interested in seeing people experiment with more specific warrant canaries. Many of them currently are of the form, "This service has not received any of these kinds of orders at any time before YYYY-MM-DD." What if instead, to go to an extreme (though it could be somewhere in between), each user could check a page that had a long list of statements regarding their account, e.g. "We did not comply with a {TYPE} order between 02:00 and 03:00 GMT on 2017-02-17 that affected your account." Obviously that's poking the surveillance bear more than a really broad canary (ooh, big deal, now people know X provider with 100 million users received an order within T time of the last update to the canary), but I'm not sure that it's qualitatively different.
It seems to me that it did its job here. The only thing a warrant canary claims to be able to do is to make people aware that a warrant was served on a provider, even when a gag order prevents the provider explicitly saying so. The warrant canary at riseup disappeared, which did have the effect of making people aware of that fact.
Now it turned out that the warrant was just for some malware-extortion ring, not due to a crackdown on political dissidents, so arguably a "false positive" from the perspective of what most people using riseup for its stated purpose care about. But the warrant canary didn't claim to make those kinds of fine-grained distinctions in the first place. It claimed that it would let you know when there was an unannounced warrant, and it succeeded in doing so.
> Now it turned out that the warrant was just for some malware-extortion ring, not due to a crackdown on political dissidents, so arguably a "false positive" from the perspective of what most people using riseup for its stated purpose care about
Except that now that it's gone there's nothing to say that people who were previously held at bay by the canary [side note: hah] moved in right after it disappeared.
Thus I agree; a WC should be seen as nothing more than a "probably not" to a "maybe/assume so".
That wasn't an official riseup response to the failure to update the canary statement. That was a tribute to Leonard Cohen. It seems many people on twitter thought this was a hidden message, but Riseup said it wasn't.
It doesn't seem to make sense that riseup would deliberately violate the gag order in some clever and difficult to understand reference to a song. When you are subject to a gag order, you don't try to get around it by quoting lyrics.
> There was a “gag order” that prevented us from disclosing even the existence of these warrants until now. This was also the reason why we could not update our “Canary”
Seems the exact purpose it was intended for. And they discuss at length why that canary was too broad and how the new one is better.
Question: Can a gag order in the US force a person to lie? If they say publicly there are no outstanding gag orders, FBI warrants, or other compromizing orders (and assuming I'd trust them apart from that), can I trust that they are telling the truth?
You are supposed to receive invites only from people you know. Riseup users who deliver invites to somebody creating trouble will have their account revoked.
The admins are likely to approve an account if you're a member of a health collective for trafficked transgender women of color or something like that. Read some activist publications to learn the jargon, and you too can have your own network of riseup addresses
[1] https://www.eff.org/deeplinks/2015/01/security-not-crime-unl...