Question: Does anyone here understand where exactly systems that incorporate a zero-knowledge architecture fit into the recently illuminated legal framework (re: warrants, etc.)?
i.e. if I implement my service so that I don't have the keys and cannot reasonably obtain them, what does that mean for my users and their data, presuming the data is stored in the US? Juicy example: Lastpass. (I am not affiliated with Lastpass.)
I'm sure this has already been discussed on HN recently, but with the dizzying number of PRISM/Snowden/Leaks/Wiretapping threads flying around it's difficult to keep up.
Lastpass can access your decrypted password vault if they are compelled to. All they have to do is send you some modified JavaScript which steals your password/key.
They're certainly worried about persistant XSS attacks being used to gain access to peoples vaults. There's nothing stopping them performing one of these attacks themselves, targetted to a specific user.
If you think this is unlikely, look up Hushmail being compelled to send modified java applets to their users to steal their keys. It has been done before.
So yeah, if the US government wants access to a list of all of your accounts, when you logged in to them, what IPs you logged in with and your usernames and passwords, they'd probably be quite pleased to find out you're using Lastpass
Well Lastpass was just an example. With enough effort any service can be hacked, but if the bar is high enough it means it's more likely that the US gov can't/won't do it en masse. I would note that Lastpass allows you to implement Google Authenticator/Yubikey/One-time-pad/Biometrics to help secure your key against a simple XSS attack. I think that probably qualifies as 'setting the bar high.'
In any case, my question was more towards the _legal_ situation, not the technical. Suppose you have a near-perfect no-knowledge system, how does the US gov view that entity? At least in theory, if they cannot reasonably force the company to give up the keys, what can they legally do? Can they force the company to shutdown? Can they make the company force users off the service in an attempt to get them into a less secure realm? Are such systems even legal in the current climate?
Of course there is always a way to hack it, and the $5 wrench will beat anything (pun intended), but as far as the mass surveillance mandate goes those options are probably out.
To be clear, I was not describing a hack. LastPass can be forced by the US government to get a LastPass users keys. All they need to do is get a court order and tell LastPass to send some backdoored code to the user, exactly like they do with Hushmail.
i.e. if I implement my service so that I don't have the keys and cannot reasonably obtain them, what does that mean for my users and their data, presuming the data is stored in the US? Juicy example: Lastpass. (I am not affiliated with Lastpass.)
I'm sure this has already been discussed on HN recently, but with the dizzying number of PRISM/Snowden/Leaks/Wiretapping threads flying around it's difficult to keep up.