In this scenario, if a law enforcement agency demands all the e-mails sent to or from an account, Hushmail can only turn over the scrambled messages since it has no way of reversing the encryption. However, installing Java and loading and running the Java applet can be annoying. So in , Hushmail began offering a service more akin to traditional web mail. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.
The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages. In the case of the alleged steroid dealer, the feds seemed to compel Hushmail to exploit this hole, store the suspects' secret passphrase or decryption key, decrypt their messages and hand them over.
The key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side. This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.
This might clarify things a bit when you are considering what actions we might be required to take under a court order.
Again, I stress that our requirement in complying with a court order is that we not take actions that would affect users other than those specifically named in the order.
Hushmail's marketing copy largely glosses over this vulnerability, reassuring users that the non-Java option is secure. Turning on Java provides an additional layer of security, but is not necessary for secure communication using this system[ Java allows you to keep more of the sensitive operations on your local machine, adding an extra level of protection. However, as all communication with the webserver is encrypted, and sensitive data is always encrypted when stored on disk, the non-Java option also provides a very high level of security.
But can the feds force Hushmail to modify the Java applet sent to a particular user, which could then capture and sends the user's passphrase to Hushmail, then to the government? With Hushmail, you get it all in one service. Your Hushmail account works just like a regular email account, with added security features to help keep your data safe. Move your forms online in minutes.
Instant online signing for your most important digital forms. Switching from pen and ink to e-signatures has never been easier.
Hushmail for Healthcare allows you to encrypt emails containing personal health information. It automatically creates a separate archive account that keeps a record of all emails sent or received by all users in your domain, which is essential in case of an audit. Our Customer Success team is by your side to ensure a smooth start by helping you set up your account, build your first form, and verify that your chosen account is the best one for your needs.
Kind, considerate, responsive customer care. We take the time to personally answer your questions, understand your problem, and do our best to find a solution. Access our growing knowledge base so you can learn more about encryption and Hushmail on your own time. You own your data.
Prevent unauthorized access to your Hushmail account by using a two-step process to authenticate your identity from any device we don't recognize. Enjoy the peace of mind that comes from knowing that your data is stored only in Canada and under the protection of Canadian Law. Download our security white papers to learn more about our security philosophy and protocols.
Just sign up and start sending. Included in plans: Healthcare , Small Business , Law. Your email address will end with hushmail. This article on encrypting and protecting your email has some good tips on apps that can enhance your Hushmail security. This is a sleeper feature. The reason that stealing login credentials is such a big business is that bad guys know we tend to reuse them. Creating an email alias is as simple as visiting your Preferences page and creating a new alias.
A drop-down list box appears on the web interface to allow you to select an alias to send from. Under the normal course of business Hushmail does not store your passphrase. However, it will capture your passphrase and turn over your data if compelled by law. Hushmail defines that as full compliance with any legal order enforceable within the jurisdiction of the province of British Columbia in Canada. It further goes on state that if you intend to engage in activities that could result in an enforceable legal order in British Columbia, then Hushmail is not a good choice for you.
Storing your passphrase is not quite the same as knowing your passphrase. In order to encrypt, decrypt, or sign your email the web server must know your passphrase. Your passphrase is held in RAM when you log in and is not written to disk in normal circumstances. However, it is theoretically possible for your passphrase to be captured from RAM if the web server is compromised.
Hushmail has a nice Security Analysis here which indicates the level of protection it offers for various circumstances. But it will save you from situations where the mail server is exploited, breached, or otherwise falls into the wrong hands.
Good security requires many layers. This site uses Akismet to reduce spam. Learn how your comment data is processed. Comparitech uses cookies. More info. Menu Close.
0コメント