Slashdot Mirror
Secure, Web-based E-mail
Cal Godot writes "I've come across this interesting company, HUSMAIL.COM, that provides secure, encrypted, web-based email. They're pretty new, still working out a few kinks, and want people to take a look. (Bug reports should be sent to bugs@hushmail.com, by the way.) The URL is
https://www.hushmail.com
The whole thing works via a Java applet, and requires the latest-greatest web browsers. Source code is also
availible. It's all built around public/private key encryption, using a 1024-bit Diffie-Helman scheme. "
Oh my, yes! Go here for lots of up-to-the-minute stats:
http://anon.efga.org/~rlist/
(As an aside, it really irritates me when people think remailers don't exit anymore because anon.penet.fi went away a long time ago.)
The exploits in all the other web based email systems (particularly hotmail, although I suspect they are just targeted because they are big) have been based on browser bugs, and Javascript deficiencies. What's to say that something running as Java won't suffer from similar problems? I know there's the sandbox there, but will that be enough (i.e. there might be bugs in their server configuration or any other possible point of entry)? And do enough people care?
,hacker Perl another Just)'
For me, I don't care about the security of my email, just that I can get it 24/7 and quickly (which is why I dumped hotmail for joymail). I honestly don't think that many people will care enough to use Java for their email. Especially not considering how slow it is. Still, I might just create an account, just for a laugh...
Matt.
perl -e 'print scalar reverse q(\)-:
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I tried to set-up an account just to see what they're all about. For a company that is so interested in the users' privicy, they sure ask you a lot of personal questions. For example, why would they need to know people's income?
/. running a email redirecting service? I wouldn't mind paying 50 bucks or so to support /. while getting an "@slashdot.org" address. :)
BTW, what are the chances of
Some people here posted about not trusting the Java app to be secure. Apparently, they've already thought of that. They seem to "get it" as far as security. Here's an excerpt from the FAQ page:
How can it be proved that the HushMail system is actually secure?
Simply put, the most important aspect of any computer security system is the ability for lots people to test it as well as possible. The Java Source Code of HushMail is available to everyone, free. Security experts worldwide have the unrestricted ability to try and find any security holes. We are completely open to this form of peer review, as we believe this makes for the strongest systems available today. Our source code is open to you. Please view it at your leisure. It can be found at http://www.cypherpunks.ai/~hush/hush-src.102.zip. In addition, a description of the functionality of the system is available here.
I have at least one reason I would use something like this: If I want an anonymous account that can't be traced back to me in case I don't want my job or people I know knowing it's me. This is an easy way of doing it without needing an anonymous remailer.
Not everyone has a local system to install PGP onto.
Who's this for? The same crowd that uses Yahoo mail, hotmail, etc. Joke all you want, but there are legitimate uses. Notably, for people who can't afford to own a computer and must do all online activity through browsers at libraries, schools, cafes, etc. You'd be surprised how many homeless people have an active online presence.
Granted, they'll never be secure as long as they trust this third party to handle their encryption. But it's a couple steps better than unencrypted Web-based email.
I'm really glad this is happening. With luck, all the other Web-based email services will add encryption too, at least in the mail that gets sent out. The sooner we have a critical mass of the email world using encryption, the sooner it will be considered standard.
Here's an excerpt their WHOIS db entry:
Domain Name: HUSHMAIL.COM
Administrative Contact:
Hush Communications, Admin acct. (HC507-ORG) hushadmn@HOTMAIL.COM
(512)-441-0205
Fax- (512)-441-8052
Technical Contact, Zone Contact:
Hush Communications, Tech acct. (HC508-ORG) hushtech@YAHOO.COM
(512)-441-0205
Fax- (512)-441-8052
Billing Contact:
Hush Communications, Admin acct. (HC507-ORG) hushadmn@HOTMAIL.COM
(512)-441-0205
Fax- (512)-441-8052
Note the Hotmail and Yahoo accounts listed.
i'm sure the java solution performs the encryption locally and never sends anything plaintext to the hushmail server (otherwise what would be the point) but it seems to be more hassle than it's worth.
i'm not saying this isn't useful; i'm just curious as to exactly what demographic they're aiming at. people who are already anal about their privacy will know how to do their own secure email; and people who don't go crazy about privacy and/or don't know how to use PGP will probably just go and use a more straightforward webmail service.
-- in china, chinese food is just called food.
Well, it looks more like a commodity web-based e-mail, but running on a SSL-enabled server. Their FAQ plainly states that only e-mail sent to another hushmail user is secure. Duh...
PGP all the way!
Anonymity doesn't have much to do with encryption. Just because they provide the encryption service does not mean that they don't keep logs of connections. If they do, a message, even encrypted, can be traced back to you quite easily.
Until recently the simple way to be anonymous was to set up a hotmail account through www.anonymizer.com and access it only through the anonymizer. Unfortunately, this is broken now, although I'm sure it's easy to find a free e-mail service that works through the anonymizer.
If you are interested in practical anonymity, check out www.zeroknowledge.com. Of course, there is a bunch of other resources on the net.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.