Re: Hushmail - a net woven by the fish themselves?

From Benjamin Geer <benjamin.geer@mindspring.com>
Date Fri, 15 Oct 1999 23:26:27 -0400
References <LOBBKJFGNNPEEKDNFLIOAEMJCEAA.grugnog@tao.ca>


[: hacktivism :]

Grugnog wrote:

> hushmail.com is claiming to provide strong encryption on email via a
> web-based interface.... A very clever net--woven by the fish themselves?

The question is, who would you trust with your private key?  There's no
proof that any given person is incorruptible.  Whoever is running
Hushmail, they don't have your passphrase, and they can't get it.  If
you're using PGP, and someone really wants your private key, and they
have (or can guess) your passphrase, they could break into your house to
get your private key.  Is this more or less likely than a corrupt
company abusing its storage of your private key on their server?  The
answer doesn't seem obvious to me.  Keep in mind that if breach of key
security were detected, Hushmail would go out of business.

> A prerequisite for any encryption algorythm to be taken seriously is
> that the source code be available for scrutiny by other cryptographic
> experts.

The source code *is* available.  You can download it here:
http://www.hush.ai/

>A good summary of some of the cons is at:
>http://www.counterpane.com/crypto-gram-9908.html#Web-BasedEncryptedE-Mail

The concluding paragraph of this evaluation (written by the encryption
expert Bruce Schneier), is:

"All in all, though, HushMail seems like a reasonable implementation of
the idea. The company seems clued; they have a reasonably informative
Web site, and respond promptly to security questions."

Incidentally, Blowfish was created by Bruce Schneier.

-- 
benjamin.geer@mindspring.com
Public key at http://bgeer.com

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]