How secure can a WebApp be?

Using a WebApp to encrypt your emails is inherently less secure than encrypting your emails yourself. We provide a service for those who can’t encrypt their own email and we do everything possible to make Lavaboom easy to use while keeping the service as secure as possible.

What specific tools do you use to encrypt email?

We make use of a variety of free and OpenSource libraries, notably there is the OpenPGP-library, which we use to generate your keys and to store them locally in your browser’s Javascript cache. That is why you cannot use our services with a tool like NoScript enabled on Firefox.

Why do we use JavaScript browser encryption?

JavaScript is the only way we can ensure current web applications being run on the computer. Other than JavaScript, the only other way would be to put an application on the users computer.

How do you protect against a ‘Man in the Middle’ attack on the JavaScript?

We use Perfect Forward Secrecy to protect against MITM attacks, although we are always looking to improve our security.

Is there a danger that my private key could be acquired at generation?

All key generation is done on the client side with JS and public keys are transferred to the server from the client. It makes your device the weak link but this is the most secure option available right now.

Does Lavaboom use AWS?

No, we have never used Amazon Web Services.

Does Lavaboom use DarkMail?

When an OpenSource version is published, we’ll consider DarkMail implementation.

Does Lavaboom use third parties and, if so, which ones?

We use a self-hosted Joomla CMS System, Joomla.org, like WordPress or drupal. StartSSL CA for certificate issuing. EasySCP as a Server-control-panel. EasySCP.net, gitlab self-hosted, piwik self-hosted, jnews component emailservice and Google Analytics.

Can we alter metadata? If so, how?

Yes, we make sure that your IP is replaced by ours. It’s a very simple cronjob script.

How about opening up the Sourcecode for review?

Certainly. We are currently considering making the code partially OpenSource. Security researchers please email us for more info. We don’t want to keep the code base from somebody who’s interested in becoming an individual auditor for us!

Send a note to [email protected] if you’re interested in becoming an auditor for Lavaboom. We do have a small budget for audits so provide us with some links such as your github or bitbucket account, we’d love to hear from you!

What technology do you use?

We are using Javascript, SSL and Forward secrecy. We will use bcrypt as a password pre-hashing tool, which will prevent any plain text passwords flying through the cloud.

How does it work?

On the backend side, we use a Standard iRedMail-Server with Dovecot-IMAP. We are utilising a cluster of different secure servers in different locations. Your data is stored on a hard drive using TrueCrypt and PaX Kernel. PaX Kernel is a sure thing, and TrueCrypt is one of the best currently available tools. LUKS is also a great tool, however it doesn’t work with our failsafe. Please note that your data remains yours, since it only ever reaches our servers in a fully encrypted fashion. How do we ensure that? That’s where the Front-End kicks in. Lavaboom is a JavaScript webmail application which runs in your browsers javascript cache. We use (except for IE) established JavaScript libraries to ensure that the Email we send to you is only decrypted in your browser. That means we make sure that your Email remains your Email, and can only be read by you.

How does key handling work? Do you store the private keys of the user?

Keyhandling is a very sensitive issue. Keys are generated in the client, not the server, meaning we never gain access to your private key. We let you download your keypair during registration. This is to ensure that your key remains in your possession. Never clear your cache from Lavaboom. We do not offer password recovery, since we can’t! Once you flush your private key, all your data stays encrypted until you somehow rediscover your private key. We will not provide you with any refunds if you lose your private key. We store your key in your browser, so that you’re only able to access your account from one device using the one browser. We are working on enabling multiple devices in the near future.

Should I submit my public key to a key-server?

We highly recommend you do. Even though there are certain risks involved with submitting your key to a public key service. We only use trusted, Open-Source key-servers such as the SKS-Pool and the MIT-Pool. These services are used for public key submission as well as public-key retrieval. You can add your key to a key-server or exchange public key hashes and then manually import them into Lavaboom.

Will I be able to communicate with non-Lavaboom users?

Yes. All you need to do is exchange public keys.

However if you’re both Lavaboom-Users, our database will look up your public key upon you typing the @lavaboom.com address into the to-field. That means there is no necessity for you to exchange keys insecurely over Email. We utilise an internal key-server for this.

Is there any transparency around the internal key server?

You will not be able to access the internal keyserver from the outside, so other than localhost it’s not possible to access the keyserver. This is only for @lavaboom.com users.

What methodology do you and your development team use?

We use the Kanban method, a fast and reliable way to ensure constant development. It is an Agile development tool, used by companies such as Facebook and Google, which enables the individual developer to make anything he sees the need for. It also ensures that we have something being shipped 24/7.

Do we know the exact locations of our servers, and, if so, do we have physical access to our servers?

We do not know the exact locations of our servers. They are located in separate locations around Germany and we are aware of the general area. As such we do not have physical access to our servers.

If we should ever be forced by the BSI or the BND to give up all our data, rest assured that we do have something in place that will destroy our hard disks in a matter of minutes and turn them into little more than coasters. More information.

If we should ever be forced by the BSI or the BND to give up all our data, rest assured that we do have something in place that will destroy our hard disks in a matter of minutes and turn them into little more than coasters.

What’s your SMTP configuration? Do you use DMARC? How are SSL endpoints configured?

No dmarc, DKIM and SPF yes. No ipv6, currently. SSL endpoints are configured using the StartSSL CA. We employ no outside API’s. So no clients beside our own is possible..

Are you encrypting any data at rest?

We use html5 storage via indexedDB. We are encrypting the data running through our REST API’s.

Can we be ‘totally’ secure?

You can never ensure total security, but we do what is feasible. 4096 bits appears to not be crackable within 30 years. As far as we are aware, we are ‘NSA-proof’, but it is impossible to totally be sure. If you cannot risk your emails getting into NSA hands, we suggest you have a look at PGP-encryption methods and what they can do for you.

Does Lavaboom have any ties to the US?

We have no ties to the United States of America.

I’m American, should I travel with my private keys?

If you are a citizen of the US you should never leave your home country carrying private keys with you as on re-entry the TSA is authorised to seize computers without a warrant.

Lavaboom’s take on the RSA scandal?

We don’t use RSA to generate the keys, SHA 512 is our jist. We are using RSA encryption right now though we are working on implementing NTRU.

How are you funded?

We are entirely self-funded and have no obligations to any other party. We will never share or divulge user information or make weaker the tools we provide to protect our users’ privacy.