- Hushmail
Infobox Website
name = Hushmail
favicon =
logo =
caption = Hushmail Inbox
url = http://www.hush.com/, https://www.hushmail.com
commercial =
type =Web-based email
registration = Yes
owner = Hush Communications Ltd
author = Cliff Baltzley
launch date =
current status =
revenue =Hushmail is a
web-based email service offering PGP-encryptede-mail , file storage, vanity domain service, andinstant messaging (Hush Messenger). Hushmail uses OpenPGP standards and the source is available for download. Additional security features include hiddenIP address es in e-mail headers. The free e-mail account has a limit of 2MB, and no IMAP or POP3. Paid accounts have several hundred MB of storage as well as IMAP and POP3 access. If public encryption keys are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in cleartext.Hushmail was founded by Cliff Baltzley in 1999 after leaving
Ultimate Privacy , and is based inVancouver . The servers are in Vancouver, and there are also offices inDublin ,Ireland ;Delaware ,United States ; andAnguilla .Controversy
Until September 2007, Hushmail received generally favorable reviews in the press. [ [http://www.pcmag.com/article2/0,1895,1136652,00.asp Alternative Web Mail - Hushmail Premium - Reviews by PC Magazine ] ] [ [http://www.npr.org/templates/story/story.php?storyId=5227744 E-Mail Encryption Rare in Everyday Use : NPR ] ] It was believed that possible threats, such as demands from the legal system to reveal the content of traffic through the system, were not as imminent in
Canada as they are in the United States and if data were to be handed over encrypted messages would only be available in encrypted form. However, recent developments have led to doubts among security-conscious users about Hushmail's security and concern over a backdoor in anOpenPGP service. Hushmail has turned overcleartext copies of private e-mail messages associated with several addresses at the request of law enforcement agencies under aMutual Legal Assistance Treaty with the United States. [http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html Encrypted E-Mail Company Hushmail Spills to Feds | Threat Level from Wired.com ] ] One example of this behavior is in the case of U.S. v. Tyler Stumbo. [http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf] http://blog.wired.com/27bstroke6/hushmail-privacy.html] In addition, the contents of emails between Hushmail addresses were analyzed, and a total of 12 CDs were turned over to US authorities. Hushmail also now states that it also logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services." [ [http://www.hushmail.com/help-faqs2#trackipaddressesofvisitorsandholders Hushmail - Free Email with Privacy - Help ] ]"Hush Communications", the company that provides Hushmail, states that it will not release any user data without a court order from the
Supreme Court of British Columbia , Canada, and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.Hushmail states that "...That means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy." and additionally "...If a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the "attacker" could be Hush Communications, the actual service provider." [http://www.hushmail.com/about-security Hushmail - Free Email with Privacy - About ] ]The issue originally revolved around the use of the non-java version of the Hush system. It performed the encrypt and decrypt steps on Hush's servers and then used SSL to transmit the data to the user. The data is available as cleartext during this small window; additionally the passphrase can be captured at this point. This facilitates the decryption of all stored messages and future messages using this passphrase. Hushmail has stated that the java version is also vulnerable in that they may be compelled to deliver a compromised java applet to a user. Hushmail recommends using non web-based services such as
GnuPG and PGP Desktop for those who need stronger security.The privacy policy of Hushmail has been defended by privacy advocate and PGP creator
Phil Zimmermann , who sits on the advisory board of Hush Communications. Zimmermann has stated, "Their hearts are in the right place but there are certain kinds of attacks that are beyond the scope of their abilities to thwart. They are not a sovereign state." [ [http://blog.wired.com/27bstroke6/2007/11/pgp-creator-def.html PGP Creator Defends Hushmail | Threat Level from Wired.com ] ] Zimmermann suggests that "online encrypted email storage" cannot be expected to provide a defense against a legal process, because government can "compel a service provider to cooperate". This is in contrast to "using encryption software on one's own computer", which is presumably a reference to his original PGP program and equivalent software.References
Related Pages
* GPG / PGP
*Anonymous remailer
*E-mail privacy
*Nym server
*Secure channel
*Cryptography External links
* [http://www.hush.com/ Official site]
Wikimedia Foundation. 2010.
