Author Topic: Hushmail not so secure  (Read 2542 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Hushmail not so secure
« on: November 08, 2007, 09:35:27 am »
Hushmail, run by a Canadian company, advertises that nobody, not even their staff, can read your email. It's encrypted on the server and when sent, and enforces a long passphrase (my 18-character passphrase barely qualified).

However, a court order was recently given to turn over emails from three accounts, which they complied with:
http://www.theregister.co.uk/2007/11/08/hushmail_court_orders/
http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Hushmail not so secure
« Reply #1 on: November 08, 2007, 10:09:02 am »
Not too surprising; I doubt that you'll find (any) corporation willing to outright defy court orders for the sake of a non-paying user's privacy.  That and trusting the server with the plaintext of the mail as seemed to be the case here is rather foolish if you don't trust the server in the first place.

In fact, I fail to see what value hushmail adds at all over just doing local encryption client-side.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Hushmail not so secure
« Reply #2 on: November 08, 2007, 10:37:40 am »
I believe that the only advantage to Hushmail over client-side security is convenience. Setting up PGP or similar requires some level of technical knowledge, whereas Hushmail doesn't.

But you're right, it's stupid to trust companies to defy court orders .