Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Hushmail Still Safe?

Posted by Soulskill on from the possibly-good-protection dept.

Ringo Kamens writes to ask if the use of Hushmail can still be considered a secure method of communication: "For a long time, Hushmail was considered a very secure email provider until an affidavit (PDF) from a DEA agent in 2007 showed that they had handed over 12 CDs of possibly decrypted data to law enforcement. Now, Cryptome has posted that the Hushmail encryption program is no longer the same program for which Hushmail releases their source. Is Hushmail even safe to use anymore?"

3 of 264 comments (clear)

  1. The file is obfuscated by tkinnun0 · · Score: 5, Informative
    The jar-file is obfuscated, bringing its size down to 270KB from 485KB. The source code archive contains a file verification.txt with this text:

    For those who wish to verify that the class files downloaded when accessing
    Hushmail are genuine, they can be compared against class files compiled from
    source using the following tools.

    Sun JDK 1.5.0_05 for Windows
    Microsoft Java SDK 4.0
    Proguard 3.5 (http://proguard.sourceforge.net)

    Usage of these tools can be determined from the included Makefile and
    proguard.conf. Note that the signing steps in the Makefile cannot be
    accomplished, and so the class files must be compared individually. You cannot
    compare the entire archive.

    The Bouncy Castle Lightweight API Version 1.31
    can be downloaded here:

    http://www.bouncycastle.org/download/lcrypto-jdk11-131.tar.gz

    The archives used by Hushmail are located here:

    https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

    Please ensure that you are comparing the same versions. Sometimes the release
    of source code may lag a few days behind the update of Hushmail.

    Questions can be directed here: https://www.hushmail.com/contact

    I haven't done this verification, but neither has the cryptome author, so I suspect this is a non-story.

  2. Re:this has been the case all along by legirons · · Score: 5, Informative

    If you're encrypting email yourself then hushmail is just unnecessary. Use fireGPG with gmail and you've already got better privacy than hushmail (i.e. no need to trust their java applications)

    plus you get the entertainment of watching google struggle to choose adverts for your "----BEGIN PGP MESSAGE----" email

  3. Re:this has been the case all along by lord_sarpedon · · Score: 5, Informative

    Not if you use https://mail.google.com/ as your login page. Handy trick, but it should be the default.

    --
    "Strangers have the best candy" -Me