Hushmail: Difference between revisions
KolbertBot (talk | contribs) m Bot: HTTP→HTTPS |
Rescuing 4 sources and tagging 0 as dead. #IABot (v1.6) |
||
| Line 28: | Line 28: | ||
===Individuals=== |
===Individuals=== |
||
There is one type of paid account, Hushmail Premium, which provides 10GB of storage, as well as IMAP and POP3 service. Hushmail offers a two-week free trial of this account.<ref name="features">[http://www.hushmail.com/services/hushmail/features/ Hushmail – Features and Pricing]</ref> |
There is one type of paid account, Hushmail Premium, which provides 10GB of storage, as well as IMAP and POP3 service. Hushmail offers a two-week free trial of this account.<ref name="features">[http://www.hushmail.com/services/hushmail/features/ Hushmail – Features and Pricing] {{webarchive|url=https://web.archive.org/web/20120616181615/http://www.hushmail.com/services/hushmail/features/ |date=2012-06-16 }}</ref> |
||
===Businesses=== |
===Businesses=== |
||
| Line 45: | Line 45: | ||
Developments in November 2007 led to doubts, amongst security-conscious users, about Hushmail's security, specifically, concern over a [[Backdoor (computing)|backdoor]]. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time; the passphrase can be captured at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the [[Java (software platform)|Java]] version is also vulnerable, in that they may be compelled to deliver a compromised [[java applet]] to a user.<ref name="wired2" /><ref name="wired3" /> |
Developments in November 2007 led to doubts, amongst security-conscious users, about Hushmail's security, specifically, concern over a [[Backdoor (computing)|backdoor]]. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time; the passphrase can be captured at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the [[Java (software platform)|Java]] version is also vulnerable, in that they may be compelled to deliver a compromised [[java applet]] to a user.<ref name="wired2" /><ref name="wired3" /> |
||
Hushmail turned over [[cleartext]] copies of private email messages associated with several addresses at the request of law enforcement agencies under a [[Mutual Legal Assistance Treaty]] with the United States.;<ref name="wired2">[http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html Encrypted E-Mail Company Hushmail Spills to Feds |Threat Level via Wired.com]</ref> e.g. in the case of [[U.S. v. Tyler Stumbo]].<ref name="wired2" /><ref name="wired3">[http://blog.wired.com/27bstroke6/hushmail-privacy.html Hushmail Privacy via Wired.com]</ref><ref>[http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf bakersfield.com]</ref> In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were turned over to U.S. authorities. Hushmail privacy policy states that it logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services."<ref>{{cite web | url = http://www.hushmail.com/privacy/ | title = Hushmail.com Privacy Policy | archiveurl = https://web.archive.org/web/20010215021918/http://www.hushmail.com/privacy/ | archivedate = 2001-02-15 | work = Hushmail.com }}</ref> |
Hushmail turned over [[cleartext]] copies of private email messages associated with several addresses at the request of law enforcement agencies under a [[Mutual Legal Assistance Treaty]] with the United States.;<ref name="wired2">[http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html Encrypted E-Mail Company Hushmail Spills to Feds |Threat Level via Wired.com]</ref> e.g. in the case of [[U.S. v. Tyler Stumbo]].<ref name="wired2" /><ref name="wired3">[http://blog.wired.com/27bstroke6/hushmail-privacy.html Hushmail Privacy via Wired.com] {{webarchive|url=https://web.archive.org/web/20071110164408/http://blog.wired.com/27bstroke6/hushmail-privacy.html |date=2007-11-10 }}</ref><ref>[http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf bakersfield.com] {{webarchive|url=https://web.archive.org/web/20080724042801/http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf |date=2008-07-24 }}</ref> In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were turned over to U.S. authorities. Hushmail privacy policy states that it logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services."<ref>{{cite web | url = http://www.hushmail.com/privacy/ | title = Hushmail.com Privacy Policy | archiveurl = https://web.archive.org/web/20010215021918/http://www.hushmail.com/privacy/ | archivedate = 2001-02-15 | work = Hushmail.com }}</ref> |
||
''Hush Communications'', the company that provides Hushmail, states that it will not release any user data without a court order from the [[Supreme Court of British Columbia]], Canada, and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.<ref name="wired3" /> Hushmail states; ''"...that means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy" and'' "...if a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the ''"attacker"'' could be Hush Communications, the actual service provider."<ref name="hushcom1">[http://www.hushmail.com/about-security Hushmail – Free Email with Privacy – About]</ref> |
''Hush Communications'', the company that provides Hushmail, states that it will not release any user data without a court order from the [[Supreme Court of British Columbia]], Canada, and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.<ref name="wired3" /> Hushmail states; ''"...that means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy" and'' "...if a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the ''"attacker"'' could be Hush Communications, the actual service provider."<ref name="hushcom1">[http://www.hushmail.com/about-security Hushmail – Free Email with Privacy – About] {{webarchive|url=https://web.archive.org/web/20071122180245/http://www.hushmail.com/about-security |date=2007-11-22 }}</ref> |
||
==See also== |
==See also== |
||
Revision as of 03:58, 9 November 2017
Type of site | Webmail |
|---|---|
| Owner | Hush Communications Ltd |
| Created by | Cliff Baltzley |
| URL | Hushmail.com |
| Commercial | Yes |
| Registration | Required |
Content license | Proprietary |
Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards and the source is available for download. If public encryption keys are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in cleartext. In July, 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings.
History
Hushmail was founded by Cliff Baltzley in 1999 after he left Ultimate Privacy.
Reception
As of December 22, 2015[update], Hushmail has a score of 1 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. Hushmail has received a point for encryption during transit. It is missing points because communications are not encrypted with keys the provider doesn't have access to (i.e. the communications are not end-to-end encrypted), users can't verify contacts' identities, past messages are not secure if the encryption keys are stolen (i.e. the service does not provide forward secrecy), the code is not open to independent review (i.e. the code is not open-source), the security design is not properly documented, and there has not been a recent independent security audit.[2][3]
Accounts
Individuals
There is one type of paid account, Hushmail Premium, which provides 10GB of storage, as well as IMAP and POP3 service. Hushmail offers a two-week free trial of this account.[4]
Businesses
The standard business account provides the same features as the paid individual account, plus other features like vanity domain, email forwarding, catch-all email and user admin. A standard business plan with email archiving is also available.[5] Features like secure forms and email archiving can be found in the healthcare and legal industry-specific plans.[6][7]
Additional security features include hidden IP addresses in e-mail headers, two-step verification[8] and HIPAA compliant encryption.
Instant messaging
An instant messaging service, Hush Messenger, was offered until July 1, 2011.[9]
Compromises to email privacy
Hushmail received favorable reviews in the press.[10][11] It was believed that possible threats - such as demands from the legal system to reveal the content of traffic through the system - were not imminent in Canada, unlike the United States, and that if data were to be handed over, encrypted messages would be available only in encrypted form.
Developments in November 2007 led to doubts, amongst security-conscious users, about Hushmail's security, specifically, concern over a backdoor. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time; the passphrase can be captured at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the Java version is also vulnerable, in that they may be compelled to deliver a compromised java applet to a user.[12][13]
Hushmail turned over cleartext copies of private email messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States.;[12] e.g. in the case of U.S. v. Tyler Stumbo.[12][13][14] In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were turned over to U.S. authorities. Hushmail privacy policy states that it logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services."[15]
Hush Communications, the company that provides Hushmail, states that it will not release any user data without a court order from the Supreme Court of British Columbia, Canada, and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty.[13] Hushmail states; "...that means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy" and "...if a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the "attacker" could be Hush Communications, the actual service provider."[16]
See also
References
- ^ "Hushmail.com Site Info". Alexa Internet. Retrieved 2017-05-24.
- ^ "Secure Messaging Scorecard. Which apps and tools actually keep your messages safe?". Electronic Frontier Foundation. 4 November 2014. Retrieved 22 December 2015.
- ^ "Only 6 Messaging Apps Are Truly Secure". PC Magazine. 5 November 2014. Retrieved 8 January 2015.
- ^ Hushmail – Features and Pricing Archived 2012-06-16 at the Wayback Machine
- ^ – Hushmail Business Features
- ^ "Hushmail for Healthcare". www.hushmail.com. Retrieved 2016-05-05.
- ^ "Hushmail for Law". www.hushmail.com. Retrieved 2016-05-05.
- ^ – Two-Step Verification
- ^ Hushmail closes IM service
- ^ Alternative Web Mail Review – Hushmail Premium, PC Magazine
- ^ E-Mail Encryption Rare in Everyday Use: NPR
- ^ a b c Encrypted E-Mail Company Hushmail Spills to Feds |Threat Level via Wired.com
- ^ a b c Hushmail Privacy via Wired.com Archived 2007-11-10 at the Wayback Machine
- ^ bakersfield.com Archived 2008-07-24 at the Wayback Machine
- ^ "Hushmail.com Privacy Policy". Hushmail.com. Archived from the original on 2001-02-15.
- ^ Hushmail – Free Email with Privacy – About Archived 2007-11-22 at the Wayback Machine