Think Lavabit overreacted ? Think again: there is now proof that FBI extorts root certificates from companies. Cryptography is only as good as the PKI’s physical security and its political environment.
For those that don’t remember, Lavabit was Edward Snowden’s email provider, and they shut down their fucking business rather than cooperating with a court order they claimed “would make them complicit in crimes against the American people.” They were bound by a gag order and threatened with jail if they violated it.
Today they won a victory in court and were able to get the secret court order unsealed, and holy shit is it a doozy: the ACLU’s Chris Soghoian called it “the nuclear option.” The court order revealed the US government demanded Lavabit turn over their root SSL certificate, something that allows them to monitor the traffic of every user of the service. Security researchers have argued for years over whether the government would be so heavy-handed as to try this, but there has never been any proof that they actually do, as no one has ever challenged such an order in court.
If a government can force a company to turn over the SSL keys, it breaks the trust model for the entire internet. Everything from google to facebook to skype to your bank is only encrypted by SSL keys, and if the FBI can force Lavabit to hand over their SSL key, they can bet your ass they did the same thing to Google. People don’t understand how big this is from an internet trust model. This story changes everything. No US company that relies on SSL encryption can be trusted with sensitive data, which is what lavabit asserted in their “farewell address” and people thought was an overreaction."