Does not make sense to me. Lavabit claims that it cannot decrypt customer's data, but if someone else could read what goes through Lavabit server and a client it could decrypt the data?? So, how come Lavabit can't do tha same thing?
But my guess is he's referring to replacing the login page's Javascript code with a malicious one that phones back the plaintext password. Kinda like a keylogger.
Lavabit's original architecture only store's an encrypted version of the private key needed to decrypt the messages. The private key is encrypted with the users password, and they don't store this password in plain text.
However; if you could intercept this password, and already got a copy of the encrypted private key as well as the encrypted data from lavabit, you could then decrypt the data.
Presumably lavabit didn't want to back door their services, by either storing a copy of the session keys, the password, or the plain text -- and chose to shut down instead.
