Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion
search
Home Agent Weblogs Social Network Post Help About


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Hushmail Spills it to Feds. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Hushmail Spills it to Feds
by Acidus at 9:26 am EST, Nov 8, 2007

A September court document from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.

... uhhhhh... ... Must go now. [begins shredding]

Hushmail uses industry-standard cryptographic and encryption protocols (OpenPGP and AES 256) to scramble the contents of messages stored on their servers. They also host the public key needed for other people using encrypted email services to send secure messages to a Hushmail account.

The first time a Hushmail user logs on, his browser downloads a Java applet that takes care of the decryption and encryption of messages on his computer, after the user types in the right passphrase. So messages reach Hushmail's server already encrypted. The Java code also decrypts the message on the recipient's computer, so an unencrypted copy never crosses the internet or hits Hushmails servers.

In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption.

However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.

The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.

Link - Reply

  
 
Powered By Industrial Memetics