Don't Expect E-mail Providers to Keep Your Secrets
Hushmail has a reputation for providing encrypted e-mail services that are so secure even their sys admins can't get at your messages, that is, until the government comes knocking at their door. Wired reports:
A September court document (.pdf) from a federal prosecution of alleged steroid dealers reveals the Canadian company turned over 12 CDs worth of e-mails from three Hushmail accounts, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The charging document alleges that many Chinese wholesale steroid chemical providers, underground laboratories and steroid retailers do business over Hushmail.
And privacy protections, like keeping private keys on clients, not Hushmail servers, is no guarantee messages won't be read by the government and possibly attackers.
Hushmail's server-based option is open transmits keys from clients to Hushmail servers:
The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.
As Bruce Schneir argues in Secrets and Lies elegant, cryptographic algorithms are not guarantee of security. Implementation details an human behaviors can undermine the most difficult to crack cryptography on the planet. Here is a case in point.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
