Slashdot Mirror
Is Hushmail Still Safe?
Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication:
"For a long time, Hushmail was considered a very secure email provider until an affidavit (PDF) from a DEA agent in 2007 showed that they had handed over 12 CDs of possibly decrypted data to law enforcement. Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?"
Generally yes, but Hushmail offered two methods of encrypting emails: on their servers and in a Java applet that did it locally. What came out during the earlier revelations was the company handed over email that they decrypted on their servers, but couldn't do so for the applet based encryption. They said up front that the applet was far more secure.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
you're probably better off encrypting your emails yourself instead of allowing a third party to convince you that they have encrypted it.
RTFAs much? Hushmail provide you with an optional, open app to encrypt things before they leave your computer. But now it seems that (based on differing hashes) the code used 'in the field' is not the same as the reference source code they show on their site.
I'd be inclined, given Hushmail's excellent track record on openness, to believe that this is more an oversight, i.e. something not updated, than a turn to the dark side.
"Be light, stinging, insolent and melancholy"
It appears that this was reported back in 2007 on The Register.
There is indeed a clause in the clarified terms of service mentioned by the above article that states that your data is not safe from law enforcement authorities with a court order from Supreme Court of British Columbia, Canada:
We are committed to the privacy of our users, and will absolutely not release user data without a court order from the Supreme Court of British Columbia, Canada, which is the jurisdiction where our servers are located. In addition, we require that any such court order refer specifically by email address to any account for which data is required. However, if we do receive such a court order, we are required to do everything in our power to comply with the law. Hushmail will not accept a court order issued by any authority or investigative agency other than the Supreme Court of British Columbia, Canada. Other authorities must apply to the Canadian government through an appropriate Mutual Legal Assistance Treaty and request that a court order be issued by the Supreme Court of British Columbia, Canada.
We'll make great pets
I haven't done this verification, but neither has the cryptome author, so I suspect this is a non-story.
The whole point of Hushmail's program is that you do it on a computer which you trust. They also offer a version where you send stuff to their servers in plaintext and then they encrypt it for you, which is harder to trust.
The problem here is that the program doing the encrypting on your computer, which comes from Hushmail, is not the same program that they provide the (trustable) source code for.
Comment removed based on user account deletion
If you want encryption guaranteed against major governments you have to go with a one time pad. Even then you've got to worry about Van Eck Phreaking or FPGA eavesdropping.
In general it's a bad idea to be confident in your encryption - if the Germans hadn't been so confident in Engima they might have done much better militarily.
Any provider like this can ultimately be compelled to cooperate with security services and you've therefore got to assume they are working with major governments to compromise your communications. Common sense really.
That said, something like Mixmaster is a good place to start. Makes it very difficult to be located by any legal process although (of course) it won't help if the NSA takes an interest.
Hushmail? Compromised almost as soon as it was set up I'd wager.
While I do believe that many commercial RSA-based encryption algorithms have back doors or are easily breakable, the sheer simplicity of Blowfish leads me to believe otherwise. Sixteen rounds through S-boxes of your own choosing is nigh unto impossible to crack even with a dedicated supercomputer for top-secret 'research' (like Roadrunner).
While I did not write the source code that I use, I have inspected every last character wit full understanding of what its supposed to do, and I didn't need a PhD from MIT to understand the algorithm.
Oh, and for the trolls out there, Twofish is supposedly better. It changes keys faster, but I see this as a weakness being that the only known cryptanalysis of *fish is brute force with a few minor optimizations if they know your S-boxes or part of your plaintext.
>3des is not vulnerable but computer power has
>passed the point on which an individual could
>mount an actual attack.
I believe that would likely be DES you're referring to, not 3DES.
Whether the NSA can attack 3DES or not is an entirely different matter. But an individual? Not yet. 3DES is about 112 bits of key if you account for meet in the middle.
DES is ~56 bits and can be cracked in hours with special purpose hardware.
n Hours * 2^(112-56) = 72057594037927936n hours.
So... I think it's out of reach for an individual at the moment. Even if we could break DES in minutes...
I touch computers in naughty places
Apple has PGP keys that you can use for submitting encrypted email to them; they tell you to use it for sending in proof of security issues. While they don't include the functionality in Mail, there's always MacGPG (command-line tools, plus a nice Aqua-fied port) and the GPGMail plugin.
Why Apple and Mozilla make no official inclusion, I have no idea. Probably due to licensing, no doubt. (It goes without saying that Microsoft doesn't include it because they're Microsoft.)
GPG is open source, GPL licenced and patent free, so really there is no excuse for not including it.
Even GPG doesn't solve the recipient-in-plain-text problem. It's the same with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Point 1:
No-one changed anything in GnuPG. Valgrind issued warnings regarding OpenSSL which resulted in some unfortunate changes in one distro of one OS.
GnuPG and OpenSSL are entirely discrete projects, please don't confuse people with supposition and half-truths.
Point 2:
Neither you nor I can write a robust encryption algorithm. On the contrary, Rindjael and Twofish have been published in the wild now for eight years and no-one has demonstrated a weakness. If the former is acceptable as AES for US Government crypto then it is secure enough for the rest of us. Even if we assume that the NSA is 20 years ahead of the field in mathematics, if you're not dealing with the NSA then you've got 20 years lead time before Company-X can crack your files.
Some other freeware encryption that still uses a published algorithm?
If this made any difference, the algorithm would suck anyway.
If you're encrypting email yourself then hushmail is just unnecessary. Use fireGPG with gmail and you've already got better privacy than hushmail (i.e. no need to trust their java applications)
plus you get the entertainment of watching google struggle to choose adverts for your "----BEGIN PGP MESSAGE----" email
with SSL - the encryption is encrypted by your ISP can still see the address of the site you are visiting.
Well, they can see the server/domain name, although not the URL surely (the URL being sent inside HTTP, which is encrypted...)
Every bit of information that travels across the internet is recorded and logged somewhere, whether it be with the ISP, in a data-warehouse like those that AT&T maintains, or even administrations like the NSA themselves.
So long as the means of encryption (including the public keys) have been transferred over the internet, you are susceptible to a man-in-the-middle attack.
The only way to have truly secure and encrypted communications is if all keys involved, including public keys, were swapped privately (without the internet, such as with a disk).
Encryption does well to protect you from identity theft, some hacking, and minor illegalities such as piracy, but if you really need it to protect yourself from the State, it is worse than worthless against an ISP or government (because not only can they decrypt it, but they know that something is up) unless all keys were traded privately, person to person.
It's also NOT necessarily true that for every brilliant person in the government, there's another who works elsewhere, at least specifically on cryptography. In particular, the NSA is one the largest employers of mathematicians on earth. Most other employers who hire mathematicians have other jobs for them to do, so most of their time is occupied with other problems. By contrast, the NSA can (apparently) afford to hire quite a few who are allowed to concentrate entirely on cryptology.
Given the secrecy of the NSA in general, it's essentially impossible to come up with numbers that are either exact or concrete, but it certainly seems possible and reasonable that government agencies (in general) could have considerably more time and effort to devote to this subject than the entire rest of the world.
My feeling, however, is that the gap has been narrowing for quite a while now. From the design of DES, it appears that the NSA was aware of differential cryptanalysis (but not linear cryptanalysis) at that time; it became publicly known quite a bit later. As for AES, however, the rest of the world has caught up to the point that AES can be used on DOD Secret data, and the variants with 192- and 256-bit keys are cartified for DOD Top Secret data.
The universe is a figment of its own imagination.
Not really. If you even glanced at the size of the integer involved you'd quickly see the answer is "too large." This isn't even in the range of "throw more hardware at it."
Which I think, was my point. :)
Brute forcing 3DES is not effective at this point in time.
Unless you're talking about DES, in which case you can get your own little box to do it for under 10,000 and it's entirely trivial.
Neither DES or 3DES are at a point where the problem of brute forcing them is interesting at the present time. DES because it's too easy and 3DES because it's too hard.
Anyways... :)
I touch computers in naughty places
Except for the fact that every character you type into the gmail compose field gets sent over the network in clear text, as does your session key. Google does it so they can provide on the fly features like spellcheck and suggestions etc, but it is a huge risk.
http://news.cnet.com/8301-10784_3-9755575-7.html
And since when did MTAs start using HTTP?
"Read: "I'm a pedophile.""
It's up to you to provide enough indications so a judge will sign an order to go after my PC. Till then, please remember you are very near of a criminal offense calling someone "pedophile" without proofs.
You would think so, but check again.
It will post your password to an HTTPS action, but then it reverts back to clear text. Also try firing up wireshark sometime and notice that every single keypress (last time I checked) in the compose mail field sends out an xmlhttprequest. Web 2.0 is awesome.
There is a firefox plugin http://www.customizegoogle.com/ that will force https if you want, but even if you type https into the bar, gmail will attempt to downgrade your session back to http.
Not if you use https://mail.google.com/ as your login page. Handy trick, but it should be the default.
"Strangers have the best candy" -Me
I introduce people to KeePass Password Safe and teach them how to use it to store and generate passwords. It can auto-fill in passwords, stores them in an AES encrypted database, can store attachments (say, your GPG private key,) and supports keyfiles. It's small enough to fit on a USB key, and open source. It has autotype, and that checks the URL. This reduces the risk of typing your password into a phishing site. Because of this program, almost all my passwords are >20 characters of random junk, and I don't know any of them.
Not a sentence!
This only applies to the web based client.
If you use Thunderbird or any other mail client then the account+domain.tld are in the mail headers as the From: instead of the pseudonym address because you can't login to the servers with a client unless you use account+hushdomain.tld in which case it IS your From address regardless of if that's what you want or not. They use postfix and cyrus just like I do but I believe because they are using virtual domains you HAVE to specify your full login account information. So your last point ONLY applies if using the web front end and not a client. THIS REALLY SUCKS!
So what do you do if your NOT interested in paying for business class internet connectivity to allow in bound and out bound mail ports for HOME use because your NOT running a home business!? Without exceeding the cost your currently paying for Hush's service?
As of just over a week ago, Gmail has a built-in option for forcing HTTPS. See the official blog entry regarding it.
To enable this, you can do this:
Really?
Yes.
Seriously?
Yes.
Really think you're all that l33t using published crypto?
No, I consider it to be just a regular part of my day.
Zenlike ignorance. Must be a fucking rush.
No.
As another poster skillfully pointed out, unless you write your own encryption and know your OWN code, open/published standards should be considered compromised, especially when talking about our Government (or any other one for that matter).
Heh. If you write your own encryption, there is a huge possibility that you're pretty *dumb*. Unless you open it so that others, not just your friends, can verify what you've just done. You don't necessarily need to open it to the general public, but you need to open it for review by a bunch of equally good or better cryptanalysts.
Open/published standards should by no means be considered compromised. Encryption methods NOT opened, which are UNPUBLISHED should be considered compromised. It's a pretty old adage these days that the encryption methods should be open - and the key information should be secret.
And why on earth do you think that your government is so much smarter than non-government types? It's not like they're superhumans.
Good old fashioned pen and paper secured by cold steel and lead seemed to secure many a secret for far longer than we've been clicking "encryt and send"
Encrypting the data you store away in your cold steel and lead cabinet (or on your own harddrive) would obviously be even more secure.
"Rune Kristian Viken" - http://www.nwo.no - arca
No, this is not what they did. If they had changed their applet in order to achieve this, myself and lots of other regular hushmail users would have noticed when we were prompted to approve a new version to execute in our browsers.
What they did do was introduce a javascript-only version which sends the keys to their servers, and make it an insecure-by-default choice. Anyone not paying attention could have easily uploaded their keys.