Hushmail: Difference between revisions
Content deleted Content added
Hushmail doesn't offer a free trial. All small Business plans include archiving. Forms are available on certain plans. |
|||
| (71 intermediate revisions by 44 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|Web-based encrypted mail service}} |
|||
{{update|date=February 2016}} |
|||
{{Infobox |
{{Infobox website |
||
| name = Hushmail |
| name = Hushmail |
||
| favicon = |
| favicon = |
||
| logo = |
| logo = |
||
| screenshot = |
| screenshot = |
||
| caption = |
| caption = |
||
| url = [https://www.hushmail.com Hushmail.com] |
| url = [https://www.hushmail.com Hushmail.com] |
||
| ⚫ | |||
| alexa = {{Decrease}} 13,799 ({{as of|2016|02|11|alt=February 2016}})<ref name="alexa">{{cite web|url= http://www.alexa.com/siteinfo/hushmail.com |title= Hushmail.com Site Info | publisher= [[Alexa Internet]] |accessdate= 2016-02-11 }}</ref> |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| headquarters = Vancouver, British Columbia, Canada |
|||
| ⚫ | |||
| owner = Hush Communications |
| owner = Hush Communications Ltd |
||
| author = Cliff Baltzley |
| author = Cliff Baltzley |
||
| |
| launch_date = 1999 |
||
| current_status = Online |
|||
| current status = Active |
|||
| revenue = |
| revenue = |
||
| content_license = [[Proprietary software|Proprietary]] |
|||
}} |
}} |
||
'''Hushmail''' is |
'''Hushmail''' is an [[Encryption|encrypted]] [[Proprietary software|proprietary]] [[web-based email]] service offering [[Pretty Good Privacy|PGP]]-encrypted [[e-mail]] and [[vanity domain]] service. Hushmail uses [[OpenPGP]] standards. If [[public encryption key]]s are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an [[iOS]] app that offers [[end-to-end encryption]] and full integration with the webmail settings. The company is located in [[Vancouver]], [[British Columbia]], [[Canada]].<ref>{{Cite web|url=http://thetyee.ca/Mediacheck/2007/11/27/E-mailDropping/|title=Private E-mail Not Hush Hush|last=Geist|first=Michael|date=2007-11-27|website=The Tyee|language=English|url-status=live|archive-url=https://archive.today/20200102110141/https://thetyee.ca/Mediacheck/2007/11/27/E-mailDropping/|archive-date=2020-01-02|access-date=2019-11-27}}</ref><ref>{{Cite web |last=Sutherland |first=Richard |date=17 November 2020 |title=Hushmail secure email review |url=https://www.techradar.com/reviews/hushmail-secure-email |access-date=2023-08-31 |website=TechRadar |language=en}}</ref> |
||
==History== |
==History== |
||
| ⚫ | |||
| ⚫ | |||
==Reception== |
|||
{{As of|2015|12|22|df=us}}, Hushmail has a score of 1 out of 7 points on the [[Electronic Frontier Foundation]]'s secure messaging scorecard. Hushmail has received a point for encryption during transit. It is missing points because communications are not encrypted with keys the provider doesn't have access to (i.e. the communications are not [[End-to-end encryption|end-to-end encrypted]]), users can't verify contacts' identities, past messages are not secure if the encryption keys are stolen (i.e. the service does not provide [[forward secrecy]]), the code is not open to independent review (i.e. the code is not [[Open-source software|open-source]]), the security design is not properly documented, and there has not been a recent independent security audit.<ref name="secure-messaging-scorecard">{{cite web |url=https://www.eff.org/secure-messaging-scorecard |publisher=[[Electronic Frontier Foundation]] |title=Secure Messaging Scorecard. Which apps and tools actually keep your messages safe? |date=4 November 2014 |accessdate=22 December 2015}}</ref><ref>{{cite web |url=http://www.pcmag.com/article2/0,2817,2471658,00.asp |work=[[PC Magazine]] |title=Only 6 Messaging Apps Are Truly Secure |date=5 November 2014 |accessdate=8 January 2015}}</ref> [[AOL Instant Messenger|AIM]], [[BlackBerry Messenger]], [[eBuddy|Ebuddy XMS]], [[Kik Messenger]], [[Skype]], [[Viber]], and [[Yahoo! Messenger|Yahoo Messenger]] also have a score of 1 out of 7 points.<ref name="secure-messaging-scorecard" /> |
|||
==Accounts== |
==Accounts== |
||
===Individuals=== |
===Individuals=== |
||
There is one type of paid account, Hushmail for Personal Use, which provides 10GB of storage, as well as [[Internet Message Access Protocol|IMAP]] and [[Post Office Protocol|POP3]] service.<ref>{{Cite web|url=https://www.hushmail.com/plans/personal/|title=Hushmail for Personal Use|website=www.hushmail.com|access-date=2024-08-29}}</ref> |
|||
A free e-mail account has a storage limit of 25MB, but does not include [[Internet Message Access Protocol|IMAP]] or [[Post Office Protocol]] (POP3) desktop service. If a user does not use a free account for three consecutive weeks, Hushmail deactivates the account. Customers attempting to reactivate a disabled account are required to pay for a Hushmail premium account. There are two types of paid accounts. The basic Premium paid account provides 1 GB of storage, without desktop service. The Premium+Desktop paid account provides 10GB of storage, as well as IMAP and POP3 service.<ref name="features">[http://www.hushmail.com/services/hushmail/features/ Hushmail – Features and Pricing]</ref> Free account registration is no longer available. |
|||
===Businesses=== |
===Businesses=== |
||
The standard business account provides the same features as the paid individual account, plus other features like vanity domain, email forwarding, catch-all email, user admin, archive, and Business Associate Agreements for healthcare plans. Features like secure forms and electronic signatures are available in specific plans.<ref>{{Cite web|url=https://www.hushmail.com/plans/healthcare-hipaa-compliant-email/|title=Hushmail for Healthcare|website=www.hushmail.com|access-date=2024-08-29}}</ref><ref>{{Cite web|url=https://www.hushmail.com/plans/small-business/|title=Hushmail for Small Business|website=www.hushmail.com|access-date=2024-08-29}}</ref><ref>{{Cite web|url=https://www.hushmail.com/plans/legal/|title=Hushmail for Law|website=www.hushmail.com|access-date=2024-08-29}}</ref> |
|||
| ⚫ | Additional security features include hidden [[IP address]]es in e-mail headers, [[two-step verification]]<ref name="Two-Step verification">{{Cite web |url=https://help.hushmail.com/entries/63282756-Two-step-verification |title=– Two-Step Verification |access-date=2014-06-11 |archive-date=2014-06-25 |archive-url=https://web.archive.org/web/20140625124114/https://help.hushmail.com/entries/63282756-Two-step-verification |url-status=dead }}</ref> and [[Health Insurance Portability and Accountability Act|HIPAA]]-compliant encryption.<ref>{{cite web |title=Hushmail for Healthcare - HIPAA Compliant Encrypted Email, Web Forms & E-Signatures |url=https://www.hushmail.com/plans/healthcare-hipaa-compliant-email/ |website=hushmail.com |access-date=21 July 2022}}</ref> |
||
The standard business account provides the same features as Premium+Desktop, plus other features like email forwarding, catch-all email and vanity domain. Optional features that can be added for an extra fee include: secure web forms, user admin, reset passphrase and email archiving.<ref name="Business features">[https://www.hushmail.com/services/business/features/all/ – Hushmail Business Features]</ref> |
|||
| ⚫ | Additional security features include hidden [[IP address]]es in e-mail headers, [[two-step verification]]<ref name="Two-Step verification"> |
||
===Instant messaging=== |
===Instant messaging=== |
||
An [[instant messaging]] service, Hush Messenger, was offered until July 1, 2011.<ref name="instantm"> |
An [[instant messaging]] service, Hush Messenger, was offered until July 1, 2011.<ref name="instantm">{{Cite web |url=https://help.hushmail.com/entries/20300582-hush-messenger-im-service-to-close-july-1-2011 |title=Hushmail closes IM service |access-date=2012-07-20 |archive-date=2013-10-27 |archive-url=https://web.archive.org/web/20131027154541/https://help.hushmail.com/entries/20300582-Hush-Messenger-IM-service-to-close-July-1-2011 |url-status=dead }}</ref> |
||
==Compromises to email privacy== |
==Compromises to email privacy== |
||
{{Further|E-mail privacy}} |
{{Further|E-mail privacy}} |
||
Hushmail received favorable reviews in the press.<ref> |
Hushmail received favorable reviews in the press.<ref>{{Cite web |url=https://www.pcmag.com/article2/0,1895,1136652,00.asp |title=Alternative Web Mail Review – Hushmail Premium, PC Magazine |access-date=2017-08-31 |archive-date=2009-04-14 |archive-url=https://web.archive.org/web/20090414204818/http://www.pcmag.com/article2/0,1895,1136652,00.asp |url-status=dead }}</ref><ref>[https://www.npr.org/templates/story/story.php?storyId=5227744 E-Mail Encryption Rare in Everyday Use: NPR]</ref> It was believed that possible threats, such as demands from the legal system to reveal the content of traffic through the system, were not imminent in Canada {{En dash}} unlike the United States {{En dash}} and that if data were to be handed over, encrypted messages would be available only in encrypted form. |
||
Developments in November 2007 led to doubts |
Developments in November 2007 led to doubts amongst security-conscious users about Hushmail's security {{En dash}} specifically, concern over a [[Backdoor (computing)|backdoor]]. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time, with the passphrase being capturable at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the [[Java (software platform)|Java]] version is also vulnerable, in that they may be compelled to deliver a compromised [[Java applet]] to a user.<ref name="wired2" /><ref name="wired3"/> |
||
Hushmail |
Hushmail supplied [[cleartext]] copies of private email messages associated with several addresses at the request of law enforcement agencies under a [[Mutual Legal Assistance Treaty]] with the United States:<ref name="wired2">[http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html Encrypted E-Mail Company Hushmail Spills to Feds |Threat Level via Wired.com]</ref> e.g. in the case of ''[[United States v. Stumbo]]''.<ref name="wired2" /><ref name="wired3">[http://blog.wired.com/27bstroke6/hushmail-privacy.html Hushmail Privacy via Wired.com] {{webarchive|url=https://web.archive.org/web/20071110164408/http://blog.wired.com/27bstroke6/hushmail-privacy.html |date=2007-11-10 }}</ref><ref>[http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf bakersfield.com] {{webarchive|url=https://web.archive.org/web/20080724042801/http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf |date=2008-07-24 }}</ref> In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were supplied to U.S. authorities. Hushmail privacy policy states that it logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services."<ref>{{cite web | url = http://www.hushmail.com/privacy/ | title = Hushmail.com Privacy Policy | archiveurl = https://web.archive.org/web/20010215021918/http://www.hushmail.com/privacy/ | archivedate = 2001-02-15 | work = Hushmail.com }}</ref> |
||
Hush Communications, the company that provides Hushmail, states that it will not release any user data without a court order from the [[Supreme Court of British Columbia]], Canada and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.<ref name="wired3"/> Hushmail states, "...that means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy" and "[...]if a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the "attacker" could be Hush Communications, the actual service provider."<ref name="hushcom1">[http://www.hushmail.com/about-security Hushmail – Free Email with Privacy – About] {{webarchive|url=https://web.archive.org/web/20071122180245/http://www.hushmail.com/about-security |date=2007-11-22 }}</ref> |
|||
==2015 DDoS Attacks== |
|||
In late 2015, the Hushmail came under [[Denial-of-service attack|DDoS attack]]. In response, Hushmail deployed [[CloudFlare]]'s web traffic filtering technology. CloudFlare now negotiates [[Transport_Layer_Security|TLS]] connections with customers of Hushmail before passing validated traffic on to Hushmail servers. CloudFlare is an American company located in San Francisco, California. |
|||
==See also== |
==See also== |
||
{{Portal| |
{{Portal|Internet |
||
}} |
|||
* [[Comparison of mail servers]] |
|||
* [[Comparison of webmail providers]] |
* [[Comparison of webmail providers]] |
||
** [[Lavabit]] (discontinued) |
|||
** [[ProtonMail]] |
|||
** [[Tutanota]] |
|||
** [[Kolab Now]] |
|||
* [[Anonymous remailer]] |
|||
* [[Bitmessage]] |
|||
* [[GNU Privacy Guard]] |
|||
* [[Pseudonymous remailer]] |
|||
* [[Secure channel]] |
|||
* [[Silent Circle (software)|Silent Circle]] |
|||
* [[Thomas Andrews Drake]] |
|||
==References== |
==References== |
||
| Line 74: | Line 56: | ||
==External links== |
==External links== |
||
* |
* {{Official website}} |
||
[[Category:Cryptographic software]] |
[[Category:Cryptographic software]] |
||
[[Category:Webmail]] |
[[Category:Webmail]] |
||
[[Category:Internet privacy software]] |
[[Category:Internet privacy software]] |
||
[[Category: |
[[Category:OpenPGP]] |
||
[[Category:Internet properties established in 1999]] |
|||
Latest revision as of 17:36, 29 August 2024
Type of site | Webmail |
|---|---|
| Headquarters | Vancouver, British Columbia, Canada |
| Owner | Hush Communications Ltd |
| Created by | Cliff Baltzley |
| URL | Hushmail.com |
| Commercial | Yes |
| Registration | Required |
| Launched | 1999 |
| Current status | Online |
Content license | Proprietary |
Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.[1][2]
History
[edit]Hushmail was founded by Cliff Baltzley in 1999 after he left Ultimate Privacy.
Accounts
[edit]Individuals
[edit]There is one type of paid account, Hushmail for Personal Use, which provides 10GB of storage, as well as IMAP and POP3 service.[3]
Businesses
[edit]The standard business account provides the same features as the paid individual account, plus other features like vanity domain, email forwarding, catch-all email, user admin, archive, and Business Associate Agreements for healthcare plans. Features like secure forms and electronic signatures are available in specific plans.[4][5][6]
Additional security features include hidden IP addresses in e-mail headers, two-step verification[7] and HIPAA-compliant encryption.[8]
Instant messaging
[edit]An instant messaging service, Hush Messenger, was offered until July 1, 2011.[9]
Compromises to email privacy
[edit]Hushmail received favorable reviews in the press.[10][11] It was believed that possible threats, such as demands from the legal system to reveal the content of traffic through the system, were not imminent in Canada – unlike the United States – and that if data were to be handed over, encrypted messages would be available only in encrypted form.
Developments in November 2007 led to doubts amongst security-conscious users about Hushmail's security – specifically, concern over a backdoor. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time, with the passphrase being capturable at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the Java version is also vulnerable, in that they may be compelled to deliver a compromised Java applet to a user.[12][13]
Hushmail supplied cleartext copies of private email messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States:[12] e.g. in the case of United States v. Stumbo.[12][13][14] In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were supplied to U.S. authorities. Hushmail privacy policy states that it logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services."[15]
Hush Communications, the company that provides Hushmail, states that it will not release any user data without a court order from the Supreme Court of British Columbia, Canada and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.[13] Hushmail states, "...that means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy" and "[...]if a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the "attacker" could be Hush Communications, the actual service provider."[16]
See also
[edit]
References
[edit]- ^ Geist, Michael (2007-11-27). "Private E-mail Not Hush Hush". The Tyee. Archived from the original on 2020-01-02. Retrieved 2019-11-27.
- ^ Sutherland, Richard (17 November 2020). "Hushmail secure email review". TechRadar. Retrieved 2023-08-31.
- ^ "Hushmail for Personal Use". www.hushmail.com. Retrieved 2024-08-29.
- ^ "Hushmail for Healthcare". www.hushmail.com. Retrieved 2024-08-29.
- ^ "Hushmail for Small Business". www.hushmail.com. Retrieved 2024-08-29.
- ^ "Hushmail for Law". www.hushmail.com. Retrieved 2024-08-29.
- ^ "– Two-Step Verification". Archived from the original on 2014-06-25. Retrieved 2014-06-11.
- ^ "Hushmail for Healthcare - HIPAA Compliant Encrypted Email, Web Forms & E-Signatures". hushmail.com. Retrieved 21 July 2022.
- ^ "Hushmail closes IM service". Archived from the original on 2013-10-27. Retrieved 2012-07-20.
- ^ "Alternative Web Mail Review – Hushmail Premium, PC Magazine". Archived from the original on 2009-04-14. Retrieved 2017-08-31.
- ^ E-Mail Encryption Rare in Everyday Use: NPR
- ^ a b c Encrypted E-Mail Company Hushmail Spills to Feds |Threat Level via Wired.com
- ^ a b c Hushmail Privacy via Wired.com Archived 2007-11-10 at the Wayback Machine
- ^ bakersfield.com Archived 2008-07-24 at the Wayback Machine
- ^ "Hushmail.com Privacy Policy". Hushmail.com. Archived from the original on 2001-02-15.
- ^ Hushmail – Free Email with Privacy – About Archived 2007-11-22 at the Wayback Machine
