[7097] in cryptography@c2.net mail archive
Re: Pass phrases, Hushmail and Ziplip
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Mon May 15 17:05:46 2000
Mime-Version: 1.0
Message-Id: <v04210102b54602be65fd@[24.218.56.92]>
In-Reply-To: <t537lcv1w6i.fsf@horowitz.ne.mediaone.net>
Date: Mon, 15 May 2000 16:07:05 -0400
To: Marc Horowitz <marc@mit.edu>
From: "Arnold G. Reinhold" <reinhold@WORLD.STD.COM>
Cc: cryptography@c2.net
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 2:54 PM -0400 5/15/2000, Marc Horowitz wrote:
>"Arnold G. Reinhold" <reinhold@world.std.com> writes:
>
>>> I'm not picking on Hushmail. Hushmail is a fairly good privacy
>>> product. It should protect against the average office snoop or an
>>> employer that wants to monitor employee e-mail. In fact, I'd give
>>> their work a 95%. Unfortunately, 95% is not a passing grade in high
>>> security cryptography. They have, however, opened their design to
>>> public critique and that is the only way I know to get close to 100%.
>>> So I'm just trying to help.
>
>I'm not that familiar with Hushmail. Do they claim anywhere to be
>doing "high security cryptography"? As you say, what they have is
>probably enough if the market they're going after is dirty jokes and
>love letters.=A0
>
>All of what you've suggested is good advice, but it isn't impossible
>that Hushmail doesn't believe it's worth the effort, considering that
>the private keys are stored online on their servers. If you disagree,
>there's certainly nothing preventing you from building a competitor.
>
> Marc
The hushmail.com web site has statements like:
"HushMail offers the world's only, secure, end-to-end, free,=20
Web-based email service."
"HushMail uses powerful encryption technology."
"HushMail allows and encourages people to speak freely and without=20
fear of snooping eyes."
I think the general public would consider that a promise of high=20
security. People today realize that ordinary e-mail isn't very=20
private. Anyone who encourages people to "speak freely" via e-mail=20
has an ethical obligation to protect them as well as possible. Dirty=20
jokes can get you fired at many companies and love letters to someone=20
else's spouse are grist for blackmail. Foreign intelligence agencies=20
no doubt collect stuff like that for future use.
Again, I like Hushmail. I recommend them in my book and my Diceware=20
web site has instructions on how to use them safely. I just think=20
that with a little effort they could do a much better job protecting=20
the average user.
Arnold Reinhold
