How secure can a WebApp be?

Using a WebApp to encrypt your emails is inherently less secure than encrypting your emails yourself. We provide a service for those who can’t encrypt their own email and we do everything possible to make Lavaboom easy to use while keeping the service as secure as possible.

What specific tools do you use to encrypt email?

We make use of a variety of free and OpenSource libraries, notably there is the OpenPGP-library, which we use to generate your keys and to store them locally in your browser’s Javascript cache. That is why you cannot use our services with a tool like NoScript enabled on Firefox.

Why do we use JavaScript browser encryption?

JavaScript is the only way we can ensure current web applications being run on the computer. Other than JavaScript, the only other way would be to put an application on the users computer.

How do you protect against a ‘Man in the Middle’ attack on the JavaScript?

We use Perfect Forward Secrecy to protect against MITM attacks, although we are always looking to improve our security.

Is there a danger that my private key could be acquired at generation?

All key generation is done on the client side with JS and public keys are transferred to the server from the client. It makes your device the weak link but this is the most secure option available right now.

Are there any back doors built into Lavaboom?

There are no back doors built into Lavaboom and there never will be. Please see our warrant canary.

Does Lavaboom use AWS?

No, we have never used Amazon Web Services.

Does Lavaboom use DarkMail?

When an OpenSource version is published, we’ll consider DarkMail implementation.

Does Lavaboom use third parties and, if so, which ones?

We use a self-hosted Joomla CMS System, Joomla.org, like WordPress or Drupal. StartSSL CA for certificate issuing. EasySCP as a Server-control-panel. EasySCP.net, GitLab self-hosted, Piwik self-hosted and jNews component email service.

Can we alter metadata? If so, how?

Yes, we make sure that your IP is replaced by ours with a simple cronjob script.

How about opening up the Sourcecode for review?

Certainly. We are currently considering making the code partially OpenSource. Security researchers please email us for more info. We don’t want to keep the code base from somebody who is interested in becoming an individual auditor for us.

Send a note to [email protected] if you’re interested in becoming an auditor for Lavaboom. We do have a small budget for audits so provide us with some links such as your github or bitbucket account, we’d love to hear from you!

What technology do you use?

We are using Javascript, SSL and Forward secrecy. We will use bcrypt as a password pre-hashing tool, which will prevent any plain text passwords flying through the cloud.

How does it work?

On the backend side, we use a Standard iRedMail-Server with Dovecot-IMAP. We are utilising a cluster of different secure servers in different locations. Your data is stored on a hard drive using LUKS and PaX Kernel. PaX Kernel is a sure thing, and Bitlocker is one of the best currently available tools. LUKS is also a great tool, however it doesn’t work with our failsafe. Please note that your data remains yours, since it only ever reaches our servers in a fully encrypted fashion. How do we ensure that? That’s where the Front-End kicks in. Lavaboom is a JavaScript webmail application which runs in your browsers JavaScript cache. We use (except for IE) established JavaScript libraries to ensure that the Email we send to you is only decrypted in your browser. That means we make sure that your Email remains your Email, and can only be read by you.

How does key handling work? Do you store the private keys of the user?

Your keys are generated in the client, not the server, this means we never gain access to your private key. You download your keypair during registration and your key remains in your possession. Never clear your cache from Lavaboom. We do not offer password recovery. If you lose your private key, your data stays encrypted until you rediscover your private key. We will not provide you with any refunds if you lose your private key. We store your key in your browser, so that you’re only able to access your account from one device using the one browser. We will be enabling multiple devices in the near future.

Should I submit my public key to a key-server?

We highly recommend you do. Even though there are certain risks involved with submitting your key to a public key service. We only use trusted, Open-Source key-servers such as the SKS-Pool and the MIT-Pool. These services are used for public key submission as well as public-key retrieval. You can add your key to a key-server or exchange public key hashes and then manually import them into Lavaboom.

Will I be able to communicate with non-Lavaboom users?

Yes. All you need to do is exchange public keys.

However if you’re both Lavaboom-Users, our database will look up your public key upon you typing the @lavaboom.com address into the to-field. That means there is no necessity for you to exchange keys insecurely over Email. We utilise an internal key-server for this.

Is there any transparency around the internal key server?

You will not be able to access the internal keyserver from the outside, so other than localhost it’s not possible to access the keyserver. This is only for @lavaboom.com users.

Does Lavaboom Salt passwords as well as Hashing them?

Yes, this is done with bcrypt automatically.

What methodology do you and your development team use?

We use the Kanban method, a fast and reliable way to ensure constant development. It is an Agile development tool, used by companies such as Facebook and Google, which enables the individual developer to make anything he sees the need for. It also ensures that we have something being shipped 24/7.

Do we know the exact locations of our servers, and, if so, do we have physical access to our servers?

We do not know the exact locations of our servers. They are located in separate locations around Germany and we are aware of the general area. As such we do not have physical access to our servers.

If we should ever be forced by the BSI or the BND to give up all our data, rest assured that we do have something in place that will destroy our hard disks in a matter of minutes and turn them into little more than coasters. More information.

What’s your SMTP configuration? Do you use DMARC? How are SSL endpoints configured?

No dmarc, DKIM and SPF yes. No ipv6, currently. SSL endpoints are configured using the StartSSL CA. We employ no outside API’s. So no clients beside our own is possible.

Are you encrypting any data at rest?

We use HTML5 storage via indexedDB. We are encrypting the data running through our REST API’s. Unencrypted emails sent and received with Lavaboom are encrypted when at rest.

Can we be ‘totally’ secure?

You can never ensure total security, but we do what is feasible. 4096 bits appears to not be crackable within 30 years. As far as we are aware, PGP are ‘NSA-proof’, but it is impossible to totally be sure. Lavaboom is not NSA-proof. If you cannot risk your emails getting into NSA hands, we suggest you have a look at PGP-encryption methods and what they can do for you.

Does Lavaboom have any ties to the US?

We have no ties to the United States of America.

I’m American, should I travel with my private keys?

If you are a citizen of the US you should never leave your home country carrying private keys with you as on re-entry the TSA is authorised to seize computers without a warrant.

Lavaboom’s take on the RSA scandal?

We are using RSA encryption right now though we are working on implementing NTRU.

How are you funded?

We are entirely self-funded and have no obligations to any other party. We will never share or divulge user information or make weaker the tools we provide to protect our users’ privacy.

Can I try Lavaboom?

Yes! Simply type in your email below to receive an invitation. Welcome to Lavaboom