[107292] in cryptography@c2.net mail archive
Re: Hushmail in U.S. v. Tyler Stumbo
daemon@ATHENA.MIT.EDU (Dave Howe)
Mon Nov 5 13:41:13 2007
Date: Fri, 02 Nov 2007 18:46:59 +0000
From: Dave Howe <DaveHowe@gmx.co.uk>
To: Email List - Cryptography <cryptography@metzdowd.com>
In-Reply-To: <032E7152-CA21-4347-90AE-9774E5ABDD2E@callas.org>
Jon Callas wrote:
>
> On Nov 1, 2007, at 10:49 AM, John Levine wrote:
>
>>> Since email between hushmail accounts is generally PGPed. (That is
>>> the point, right?)
>>
>> Hushmail is actually kind of a scam. In its normal configuration,
>> it's in effect just webmail with an HTTPS connection and a long
>> password. It will generate and verify PGP signatures and encryption
>> for mail it sends and receives, but they generate and maintain their
>> users' PGP keys.
>>
>> There's a Java applet that's supposed to do end to end encryption, but
>> since it's with the same key that Hushmail knows, what's the point?
>>
>
> I'm sorry, but that's a slur. Hushmail is not a scam. They do a very
> good job of explaining what they do, what they cannot do, and against
> which threats they protect. You may quibble all you want with its
> *effectiveness* but they are not a scam. A scam is being dishonest.
>
> You also mischaracterize the Hushmail system. The "classic" Hushmail
> does not generate the keys, and while it holds them, they're encrypted.
> The secrets Hushmail holds are as secure as the end user's operational
> security.
Seconded. the java applet is effectively a mail client, a copy of gpg,
and a copy of the secret keyring; the public keys are looked up on the
server though, and I suspect/assume that the messages are no more or
less secure at the hushmail side than your own pgp mail would be on a
isp imap server (i.e., you could get traffic information trivially just
by looking, but message content would require being lucky with the
keyphrase or active co-operation from hushmail to give you a "gimmicked"
client the next time you log in that reveals that information.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
