Jump to content

Hushmail: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
FAEP (talk | contribs)
Line 46: Line 46:
* [[Anonymous remailer]]
* [[Anonymous remailer]]
* [[GNU Privacy Guard]]
* [[GNU Privacy Guard]]
* [[Lavabit]]
* [[Pseudonymous remailer]]
* [[Pseudonymous remailer]]
* [[Secure channel]]
* [[Secure channel]]

Revision as of 13:39, 9 August 2013

Hushmail
Type of site
Web-based email
OwnerHush Communications Ltd
Created byCliff Baltzley
URLHushmail.com
RegistrationYes

Hushmail is a web-based email service offering PGP-encrypted e-mail, file storage, vanity domain service, and instant messaging (Hush Messenger was closed on July 1, 2011). Hushmail uses OpenPGP standards and the source is available for download. Additional security features include hidden IP addresses in e-mail headers. A free e-mail account has a storage limit of 25MB, and no IMAP or Post Office Protocol (POP3) service.[2]

If a user does not use a free account for three consecutive weeks, Hushmail deactivates the account. Customers attempting to reactivate a disabled account are required to pay for a Hushmail subscription. Paid accounts provide 1–10GB of storage, as well as IMAP and POP3 service.[2]

If public encryption keys are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in cleartext.

Hushmail was founded by Cliff Baltzley in 1999 after leaving Ultimate Privacy, and is based in Vancouver. The servers are in Vancouver, and there are also offices in Dublin, Ireland; Delaware, United States; and Anguilla.

Compromises to email privacy

Until September 2007, Hushmail received generally favorable reviews in the press.[3][4] It was believed that possible threats, such as demands from the legal system to reveal the content of traffic through the system, were not as imminent in Canada as they are in the United States and if data were to be handed over encrypted messages would be available only in encrypted form.

However, developments in November 2007 led to doubts among security-conscious users about Hushmail's security and concern over a backdoor. Hushmail has turned over cleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.[5]

An example of this behavior is in the case of U.S. v. Tyler Stumbo.[6][5][7] In addition, the contents of emails between Hushmail addresses were analyzed, and a total of 12 CDs were turned over to US authorities. Hushmail also now states that it also logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services."[8]

Hush Communications, the company that provides Hushmail, states that it will not release any user data without a court order from the Supreme Court of British Columbia, Canada, and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.[7] Hushmail states that "...That means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy." and additionally "...If a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the "attacker" could be Hush Communications, the actual service provider."[9]

The issue originally revolved around the use of the non-Java version of the Hush system. It performed the encrypt and decrypt steps on Hush's servers and then used SSL to transmit the data to the user. The data is available as cleartext during this small window; additionally the passphrase can be captured at this point. This facilitates the decryption of all stored messages and future messages using this passphrase.

Hushmail has stated that the Java version is also vulnerable in that they may be compelled to deliver a compromised java applet to a user.[5][7]

Hushmail recommends using non web-based services such as GnuPG and PGP Desktop for those who need stronger security.[9]

See also

References

  1. ^ "Hushmail.com Site Info". Alexa Internet. Retrieved 2013-04-22.
  2. ^ a b Hushmail – Features and Pricing
  3. ^ Alternative Web Mail – Hushmail Premium – Reviews by PC Magazine
  4. ^ E-Mail Encryption Rare in Everyday Use : NPR
  5. ^ a b c Encrypted E-Mail Company Hushmail Spills to Feds | Threat Level from Wired.com
  6. ^ Static.bakersfield.com
  7. ^ a b c Blog.wired.com
  8. ^ Hushmail Privacy Policy
  9. ^ a b Hushmail – Free Email with Privacy – About