Prosthetic Conscience

Hushmail: not so hushed, aktuly.

No original reporting or opinions here. Wired has a story on how Hushmail can and will turn over plaintext emails if they receive a Canadian court order. This means that while Hushmail provides good protection against on-the-wire snooping, it doesn’t protect Alice and Bob if Mallory is in law enforcement.

I’ve recommended Hushmail to friends and neighbors in the past, as a way of easing them into the idea of using encrypted email on a regular basis. When I read this news, I felt I had to email people that I had recommended it to, to let them know about the weakness. Hushmail could set up their systems so that they never store a passphrase except in volatile memory, and so that they never store plaintext of messages. But you’d have to trust them on that, and a court order could still mandate that they store them, and not tell you they were doing it.

The best thing would be for everyone to use GNU Privacy Guard on their own computer. But it can be hard to set up, especially for Windows users (though if you’re running Windows, you have bigger security problems), and your correspondents have to all be using GnuPG or OpenPGP, too. This is a big barrier to entry, and even though I’m set up to use it, very little of my total volume of email is routinely encrypted as I’d like it to be. There is also the problem of people without their own computers, who must use shared resources such as public library computers. Hushmail appeared to be the most viable option for them.

If you are interested in using GnuPG, you might look into the Enigmail plugin for Mozilla Thunderbird as a cross-platform solution. If you’re already using Linux, Evolution groupware provides easy-to-use GnuPG support. If you want to send me encrypted email, you can download my public key, the fingerprint of which is C046 0E26 8103 ABA1 68B1 D6E7 A991 E701 91DF 7DDD.

[ Posted: 20:16] | [ Category: /computing] | Permalink | Comments: 0 ]