Hushmail Passing PGP Keys to the US Government

teknopurge writes "Apparently Hushmail has been providing information to law enforcement behind the backs of their clients. Billed as secure email because of their use of PGP, Hushmail has been turning over private keys of users to the authorities on request. 'DEA agents received three CDs which contained decrypted emails for the targets of the investigation that had been decrypted as part of a mutual legal assistance treaty between the United States and Canada. The news will be embarrassing to the company, which has made much of its ability to ensure that emails are not read by the authorities, including the FBI's Carnivore email monitoring software.'"

Goodbye Market!

[Fallen+Seraph4]

I really hope that they go out of business for this. I mean they extremely deserve it. I know that they probably didn't have much of a choice to hand over the keys, but to continue advertising such security... That's not cricket.

Not paranoid enough.

[Valdrax]

I guess this is a brief lesson in why one should never fully trust the encryption of your private materials to a third party.

Missing from the article

[WK2]

There are several facts missing from the article:

1) Was there a court order? Or Canadian equivalent?
2) Did hushmail lie? The obviously commited willful deception, but did they outright lie?
3) Did hushmail violate it's TOS?
4) Did hushmail do anything illegal?

Of course, what the article did mention is important, especially to hushmail, and potential hushmail users. However, it would have been nice if they had dug a little bit to answer these obvious questions.

Re:Missing from the article

[Albanach]

The Register ran an article on this last week. From their piece:

US federal law enforcement agencies have obtained access to clear text copies of encrypted emails sent through Hushmail as part a of recent drug trafficking investigation.

The access was only granted after a court order was served on Hush Communications, the Canadian firm that offers the service.

Hush Communications said it would only accede to requests made in respect to targeted accounts and via court orders filed through Canadian court.

Re:Missing from the article

[justzisguy]

This is all old news that was spelled out in a much more detailed article on Wired last week. To subvert those that don't RTFA, I'll answer your questions here on /.:

1. Hushmail was served with a court order issued by the British Columbia Supreme Court (the Feds in Bakersfield, CA had to forward their request to the Canadian government)
2. Hushmail glosses over the vulnerability to private key capture in their non-Java based web client, but it is mentioned. The Java client never transmits the private key (you still must trust the client, source code is available; compare the hashes)
3. No, Hushmail's TOS do not prevent them with complying with a legal court order. Their users also must not break the law, per the TOS.
4. Hushmail followed Canadian law perfectly.

So what can we learn from this? First, don't do illegal things (and use Hushmail or anything else). Second, while their non-Java client is convenient for avoiding the bulk of your traffic getting sucked up by programs like Carnivore, use the Java client and not even Hushmail can hand anything over (they never received the private key, even for an instant).

Re:Missing from the article

[Frosty+Piss]

2) Did hushmail lie? The obviously commited willful deception, but did they outright lie?

Come on now. It's the same thing.

If you give away your key...

[Albanach]

This is only possible because users want the convenience of letting the Hushmail servers do the encryption on their behalf. To do this they have to hand over their encryption key, and once it's out of your control, so should be any expectation of privacy.

I'm not sure what users expect. If a legitimate legal request that is clearly going to stand up to any legal challenge comes in and you give the company the ability to decrypt the messages you send, the company has no option but to comply.

If Hushmail users want privacy they need to put up with the inconvenience of using an applet to sign their messages, and should be checking the hash of the Applet each time it is downloaded too so they can ensure it hasn't had a backdoor added. ideally the applet shouldn't send anything over the network, it should just encrypt the text and pass the pgp encrypted text content to the browser compose window. Then the user can check the data doesn't include anything they didn't put there themselves.

who the hell gives away their private keys???

[acvh]

kind of defeats the purpose, I'd say.

Not as big a deal as you think

[headhot]

Hushmail has 2 options, client side encryption which is done via a java plug in, and server side encryption.

They only had the keys to give away for those people who chose server side encryptions. They don't have the private keys for those who cleint side.

Also, when you choose you method, Hushmail tells you that server side is much less secure. They and anybody else operating in the US would have to turn over the private keys they heald with a court order.

Whats the leason? Key your private keys private. Duh.

Wrong wrong wrong

[starfishsystems]

I've seen several comments already to the effect that we should know better than to trust PGP or other forms of asymmetric encryption.

These comments are misguided.

The crypto is fine. It's just been applied in an obviously flawed manner. Of course if some third party obtains your private key, your should assume that your communications are no longer secure. What part of that is hard to understand?

There way asymmetric crypto is supposed to work, you generate the key pair yourself. Then you give out the public key. You never ever give out the private key.

As an exercise, think about the following scenario. You go to a website which purports to offer some kind of secure service based on asymmetric crypto, using for example PGP keys or X.509 certificates. The site asks you to supply a bunch of identity information. It then generates a key pair for you.

What part of this scenario should you trust? The answer: no part! It's not the function of another party to generate your key pair for you. You must do this yourself. You must closely guard the private key, store it securely, never give it out, and avoid transmitting it in cleartext. Got that? Then your problems are over.

The principle behind Hushmail is flawed.

That may all be well and good, but the fact of the matter is that the design of Hushmail is flawed.

You never give your private key away to anyone ever. Period. Giving Hushmail a weakly encrypted private key is fishy to start with, but then entering the passphrase to decrypt it in a Hushmail controlled applet is just stupid.

And it's completely unnecessary because there are very good encryption utilities in existence and it's very trivial to set up a system that is a thousand times more secure than Hushmail. How about Debian + KMail + GnuPG? You don't trust Debian enough, because it's a binary distro and who knows what they secretly put in there? Use Gentoo.

Perhaps the tinfoil hat crowd will say things like "but there might be a backdoor in your hardware", but Hushmail wouldn't save you from that. And let's be honest here: no one really believes that anyway.

You may have thought yourself very witty when writing that penultimate paragraph, but the fact of the matter is that in today's world you can actually be as good as sure.

Re:So? Google and Yahoo do the same

[CaptainTux]

The difference, I would think, would is fairly obvious to most people. GMail and Yahoo don't give you a promise of "unbreakable encryption for your emails" that even the government can't break. There's no question that Google will share your information when properly ask to do so by law enforcement. It's in their Terms of Service. You know what to expect and you use your GMail or Yahoo accordingly.

On the same token, while I am appalled at HushMail's actions, it's for a different reason than most here I suspect. I don't have a problem with HushMail sharing information about customers engaging in illegal behavior with the authorities. Those people don't deserve their activities to be protected - they're illegal. But I DO have a problem with HushMail not disclosing that they're doing it right up front. Now, I've not fully read their ToS so maybe they do but their statements on the website would lead you to believe they aren't.

Really though, why would anyone use a PUBLIC service to conduct illicit activities? Setting up a private mail system complete with encryption is trivial and MUCH more secure.

That's been recommended to me, but I can't do it.

[Grendel+Drago]

I just can't imagine sticking my PGP key and passphrase anywhere near my web browser. Sure, I use NoScript and all that jazz, but browsers are some of the most insecure programs in existence. Encryption keys are supposed to be kept as secure as possible; it strikes me as insane to let them touch the swiss-cheesiest app on the machine.

Re:Entirely secure?

[Kadin2048]

Passphrase encryption is weak shit, also it's trivially easy for them to launch a man in the middle attack ... having a secure and valid keychain is just as important as having a secure private key. Huh? The security of "passphrase encryption" depends solely on how hard your password is to guess. Aside from that, it's AES-128, which is perfectly good encryption. If you use a trivially-guessable password, you're sunk. But if you used, say, 19 random ASCII characters, you're at more than 128 bits of randomness. At 50 guesses per second you're still talking about a brute-force time that's 2.15805661 × 10^29 years, based on my quick envelope-back numbers. And if you're at all concerned about the government spying on you, you'd better be using those sorts of passphrases.

(Of course, if you use a single dictionary word or only a handful of ASCII characters, then the brute forcing is trivial, but that's a PEBKAC problem, not a cryptographic one.)