Schneier on Security
A blog covering security and security technology.
« The Strange Story of Dual_EC_DRBG |
| The Overblown Threat of Suitcase Nukes »
November 15, 2007
Hushmail Turns Data Over to Government
Here's the story.
Posted on November 15, 2007 at 11:06 AM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Here in the US, the Constitution specifically allows law enforcement "search and seizure" with a specifically targeted warrant. That seems to be all that Hushmail is allowing. Works for me.
It's been generally accepted practice throughout the world that, when presented with a court order, a company must comply with a government's demands. The Wired article is falsely alarmist, even calling the ability to decrypt a customer's emails due to a court order request to do so a "vulnerability", as if Hushmail's system is somehow hackable.
This is typical media alarmism.
Bruce is about a week behind on his current events blogging. I wonder what sort of interesting data you could build out of a traffic analysis of his blog postings?
It *is* a vulnerability.
It therefore is a vulnerability.
@ Norman, antimedia
The fact that the company turned over the data isn't the interesting part about this article, they're just complying with the law.
The interesting part about this article is that a company that provides a service (user-encrypted mail) provides it in two ways, one of which (the browser option) enables the company to decrypt the mail. In this particular case, not everyone seemed to be aware of the functional difference.
It shows how hard it is for the un-technically savvy to judge outsourced security solutions; and how choosing convenience without judging the security implications can get you nailed.
This is criminal.
If you bought the service, believing the encryption and decryption would be done outside of Hushmail's reach, and then the service provider slipped in a gaff where they could watch your machine doing the encryption, and thus copying your key and plaintext, then they have committed criminal fraud and espionage.
Jail is the answer for them. And anyone who abused government authority to coerce them into committing crimes needs a long stretch in prison.
@Roy: pls. read the whole story and the earlier comments before you make a silly comment
what would happen,
hushmail correspondents who were cryptosavvy, downloaded the hushmail public keys, and the hushmail encryption engine, and encrypted the messages on their own computers, using aes ,
and the hushmail encryption engine,
and then copied and pasted the encrypted messages into the hushmail window, and sent them,
how would hushmail explain to the authorities that they *couldn't* decrypt?
@vedaal, why complicate it with harvesting Hushmail's technology, why not just use GPG to encrypt manually and then copy and paste into Hushmail?
I thought the Hushmail responses in the dialogue with Kevin Poulsen were very lucid and honest about the limitations of their service implementation. They should be complimented.
Also thought it was noteworthy that the Hushmail CTO specifically cited Schneier's analysis of the limitations inherent in webmail encryption services, referencing http://www.schneier.com/essay-191.html in his correspondence with Kevin.
The news here is that lazy/stupid people get what they deserve.
If these people had used browsers based encryption they never would have the problem.
But stupid have a job to do; they have to prove Darwin right every day or we will face extinction.
There is also no-java option, for cases where you can't or don't wish to install java on the client machine. There the private-key operations happen on hushmail's servers. The fact that your mail could be decrypted in that case, if an attacker is in control of hushmail's servers at the time of encryption, is in fact documented in hushmail's comparison of the two options.
What hush did was to specifically "attack" (under court order) one user. This was possible because that user chose to use the no-java option.
I guess it would have been theoretically possible for them to send a specially-built java applet to that user, such that it would compromise his passphrase, so the same conditions apply.
Moral of the story:
(a) don't traffic internationally in steroids
(b) if you should ignore (a), don't rely on a browser pointed at a site you don't control absolutely for your crypto operations. Install software you can trust on your own machine, and perform all crypto there. If you want to actually resist attackers that are willing to expend a significant amount of intelligence-agency type effort on you, then
(b-1) never connect your crypto machine to the net. Transport ciphertext to and from the machine by sneakernet only.
(b-2) never use the machine where a hidden camera or tempest monitor can see the screen - pull a heavy blanket lined with metal mesh over your head.
(b-3) keep the machine secure enough that hardware keyloggers cannot be undetectably installed and retrieved. e.g. keep it in a safe, rigged so as to destroy the contents if safecracking is attempted.
Realistically, this is only feasible if you yourself have the resources of an intelligence agency. You will at this point probably have armed guards around the building housing your crypto machine.
Concerning (b-1) use of sneaker net, do NOT rely on sneaker nets being absolutely secure. If you are using removable media, you could be infecting the encryption machine from the web connected one, via virus. I've actually seen that happen.
Wasn't Richard Reid caught in a sneaker net?
I think what is interesting about the story, is that Hushmail is turning over information according to a Canadian court order, like Yahoo! turned over information according to a Chinese court order.
Now I don't like the way the Chinese authorities behave, the reasons for their demanding information. I think they acted wrongly. But they are the government in that country. That is problematic.
I like it! Seems to me you'd need a really clever multi-stage malware to recover the secret key. Something like this:
First compromise the network-connected machine. Then have it e.g. format removable media in a way that will exploit a filesystem mounting vulnerability in the offline crypto machine, yet that will not disrupt operation of the online machine.
The payload of the filesystem attack would have to be the really clever part. It would have to
- monitor file accesses to find any PGP keys
- monitor keystrokes to recover passphrases
- record the keystroke log, and any keypairs found, back to the removable media, in a way that is hidden from the user (possibly re-mangling the filesystem). It probably couldn't dump any files accessed, unless the removable media was rather large, so it would have to parse them in situ.
Your network-attached machine would then analyze each inserted disk to see if the prize has dropped, and transmit it off to attacker HQ.
Uh, Hushmail turning over data is not news from a crypto standpoint. However, it is yet another reminder one still has to apply common sense with such security services:
If a warrant can get the information divulged, so can:
- Counterfeit warrants
- Warrantless requests for data
- An internal malcontent
- An honest (internal) mistake
" ... why not just use GPG to encrypt manually and then copy and paste into Hushmail? ... "
gnupg and pgp and hushmail, each form their public key encryption packets differently,
and can often be distinguished by just 'looking' at the beginning of the ascii armor
gnupg encrypted messages 'always' begin with an 'h'
pgp encrypted messages begin with a 'q'
for v4 keys (rsa and dh),
and begin with an 'h' for v3 keys
hushmail 'never' begins with either an 'h' or a 'q'
(i think it starts with a 'w',
but can't swear to it,
as i don't use hushmail encryption,
i use gnupg and paste it in ;-) )
@Alex: attack the message, not the messenger. Sheesh.
> Hushmail is turning over information
> according to a Canadian court order,
> like Yahoo! turned over information
> according to a Chinese court order.
Are you saying that Yahoo's complicity in imprisoning political activists in China is morally equivalent to Hushmail helping Canadians prosecute drug dealers?
I'm not happy with them after hearing this. I feel a bit misled. I may have to search for someone a bit more private, I guess.
Can the Hushmail java client be installed on read only media, say a bootable CD-ROM? That would get around concerns of a future "wiretapping" of the Java applet (I would think...)
Perhaps this is a tangent, and if it is, I apologize.
The point of encrypted email isn't to give you cover for illegal activity. And all of that anonymous murder contract stuff they used to talk about on cypherpunks is bs.
The point of encryption is to give you privacy from people in your life, who might be poking around.
And the other point is to make surveillance difficult and expensive, so the massive and widespread dragnets the government is doing now are impossible.
But people tend to exaggerate the stakes on either side.
On the cypherpunk side, they talked about nations falling and how people could put out murder contracts without consequences.
On the paranoid cop side, they say, if we have encryption, the world will end, and child pornographers and terrorists will run amok!
The truth is that they can always get you if they want you, if only by coming into your home and putting a keystroke logger on your keyboard. Encryption just makes that easedropping expensive, and therefore rare.
So people who use hushmail to break the law -- surprise! It's not going to work.
And to people who say ban encryption, because we have no protection from it -- this puts the lie to that claim, doesn't it? Because they can get around it if they want to.
It boils down to the simple fact that it is fatal if a third party gains control over your private key.
Of course, in the end, there is still some trust.
I use PGP now, but I seem to remember that PGP and Hush could interoperate?
So net connected machine would have to print out the ciphertext. Then OCR it into the decryption machine. Media could be used going the other way, but even there one could imagine a bootsector virus being planted on the media, one that would survive formatting...so maybe prinouts going both ways. Then BOTH machines have to be in the faraday cage...
"If a warrant can get the information divulged, so can:
- Counterfeit warrants
- Warrantless requests for data
- An internal malcontent
- An honest (internal) mistake"
The last two apply even if the company is immune from warrants.
@Anonydude, encrypted email might have kept Karen Silkwood from having to drive that night...
> Are you saying that Yahoo's complicity
> in imprisoning political activists in China
> is morally equivalent to Hushmail
> helping Canadians prosecute drug
No, I stated that both governments are going after what they regard as criminals. That is a troublesome parallel, and I think it takes strength and creativity to both do business and protect the activists.
What if Hushmail was required to break into the account of someone using marijuana as medicine? That is considered an appropriate use by some. Activists, you might call them.
Sorry, this is straying way off the technical focus.
I looked into Hushmail a while back as a possible "best practice" example of letting unsophisticated users do encrypted email.
I was disappointed. Doing public-key message encryption *on the server* is a huge vulnerability. It throws away the ENTIRE security model. If you don't do the encryption on your local machine, you have no idea where the plaintext is going to go, or who's going to read it.
If using Tor with Java enabled, a user's IP address can be visible. So I wonder whether a Tor user who enables Java for Hushmail is revealing his IP address, which might be used to identify him, to Hushmail. Even if messages are encrypted, the identities of correspondents might be of interest to investigative or surveillance agencies.
If you are pulling down the software every time from a website, you will always be vulnerable to whoever controls that website unless you intend to reverse engineer the whole thing every time you log in, and that's just not realistic. If you're going through that much trouble, you're technical enough to use GPG.
When posting ideas on how to make a web-based service "more secure" people are often missing the point that web-based services have a fundamentally different security model than client-installed software. Hushmail may be very secure for a web-based service, but it can only be as secure as a web-based service can be.
Is it possible to do a checksum of a java applet locally? Like with a greasemonkey script? You could carry the script around with your portable firefox, the checksum of the "real deal" contained in the script. That would give you a way to check wether you are really encrypting locally, or not. Then again, you could possibly carry the Java applet around with you, and use your local one and not the one sent by hushmail.
For me, the only reason to use hushmail would be to have cryptod e-mail on the go, away from my computer. So any fix to this has to be portable, as well. Any comments?
Another question - in how far could a TOR exit node be an attack tool against a hushmail user?
> For me, the only reason to use hushmail would be to have cryptod e-mail on the go, away from my computer. So any fix to this has to be portable, as well. Any comments?
Just one: be especially cautious with crypto on the go, away from your computer.
One of the assumptions you make when doing crypto is that the machine in front of you really is running the code you think it's running, and that nobody else is snooping its memory while it does so, etc.
This is not a completely unreasonable assumption if the computer is yours (although it's by no means a certainty - your PC might have been compromised remotely, ninjas might have broken into your home and interfered with the hardware, the original hardware supplier might not be trustworthy, etc).
For a computer on the go, it's not a very reasonable assumption at all. A friend's PC, ok. A public terminal, not ok. It's almost certainly riddled with malware (at least, malicious from your POV), and that's just what the owner puts on it deliberately...
Hushmail might prevent interception on the wire, but you can achieve the same by both parties using (say) gmail over SSL. In either case you have to trust the terminal and the email provider, but not the intervening network. Obviously SSL is crypto, but it's probably best not to think of either setup as being "cryptod email".
I'm not saying don't do it - I am saying don't think of it as being like using crypto on a machine you trust.
> how far could a TOR exit node be an attack tool against a hushmail user?
My initial assessment is "not at all".
Hushmail uses encryption between your machine and hushmail's own servers. A TOR exit node can only read unencrypted traffic passing through it.
TOR is basically no different from your ISP's routers, except that:
1) Your ISP has the full route of the traffic, whereas the TOR exit node only knows where a packet is going to, not where it originated.
2) Your ISP is a registered corporation, whereas a TOR exit node is (on balance of probability) run by some dodgy hacker, criminal, or covert government operation. Your call as to which of those is more trustworthy :-)
Basically, the famous exploit of TOR to gain passwords came about because those passwords were going *unencrypted* over TOR. Using TOR is no different from using an open wireless access point: you must assume that anyone can read your traffic. Hushmail, like other end-to-end encryption protocols, is designed with this in mind, and counters it.
Hushmail's "threat matrix" at the bottom of this page:
looks to me like a reasonable attempt to explain the situation. Assuming it's factually correct, of course.
Actually, you can leave the PHPSESSID off the end of that url. I have no idea how confused their server will get if you don't and it thinks that session has expired. Sorry. Hushmail's site is avoiding setting a cookie, for reasons best known to itself.
With the information at hand, it is difficult to see any justification at all for Hushmail. If you use their webmail, you have no effective security as evidenced by recent events. If you do the sensible thing and encrypt off-line, there is no compelling reason to use Hushmail. There are many services that offer secured POP/IMAP access to accounts that can be opened anonymously. Hushmail is apparently nothing more than a normal email provider, that uses misleading marketing hype to give it's customers a false sense of security and justify overcharging for the service.
They market themselves as offering security and privacy: "Hushmail keeps your on-line communications private and secure." In fact, they evidently have no commitment to privacy and security whatsoever.
1. They have known about the security flaw in their service, at least since Bruce published it in 1999, but have done nothing rectify this, to prevent exploitation by technical and/or legal solutions or to clearly inform its clients about the potential risk.
2. They do not appear to have put up any fight before going to the extent of not only handing out data, but actually hacking their own system and facilitating spying on their customers. I am amazed that a court order could effectively even be that specific.
3. They have not chosen a legal structure that offers any real protection against potential government abuse. Multi-jurisdiction solutions, a web of service/management agreements in conjunction with a compartmentalized organisational structure of special purpose entities would virtually exclude effective court orders, and is nowhere near as difficult or costly as it might seem to someone without experience in this area of legal structuring. In order to offer credible privacy and security to an internationally diversified clientèle, such a structure should be considered a pre-requisite.
Should Hushmail be expected to protect criminals? Hushmail should be expected to provide security and privacy in a way that excludes them from accessing and deciphering client data. If they can do it by court order, they can do it by negligence, vulnerability, internal abuse or malice.
Furthermore, what constitutes a crime and defines a criminal? In some places, it is a crime to believe in free speech, to be born by the wrong parents or to believe in the wrong deity. In some places, petty crime is punished with disproportional harshness. In some places, democracy is abused by powerful industry lobbies that unduly manipulate politicians to disregard constitutional rights and legislate to the detriment of its citizens under a cloud of fear mongery and lies...
A service making the claims that Hushmail makes should be neutral to potentially arbitrary definitions of crime. It should neither protect nor condemn criminals. It should not have any ability whatsoever to actively do either.
Canada might seem like a safe democracy today (to some...) but what if tomorrow all that pent up rage and aggression that lurks under the clever guise of harmless feebleness is unleashed into a totalitarian regime and a subsequent full scale attack on the US, or the French Minority? (Not that either might not be desirable and long overdue.) What kind of court orders would the Canadian courts issue then?
Someone noted the appropriateness of Hushmail not protecting "drug dealers". Well, think about it, we don't know if the people in question might be drug dealers or not. They certainly are not accused of drug dealing in the meaning of selling narcotics, they are accused of illegally selling steroids as far as I can tell. Selling steroids is legal in some places and illegal in others. The proper use of steroids is not unsafe and the potential damage from abuse is typically non-lethal, rarely recorded and contained to self infliction. Certainly the uncommon abuse of steroids is considerably less harmful to society than the everyday abuse of guns, cars, cigarettes or alcohol, the selling of which is perfectly legal. Not to in any way protect the accused, who may for all we know be despicable individuals, but to illustrate the difficulty to make objective moral calls on alleged crime and potential guilt.
The problem with HushMail's current activities is that it is a fundamental departure from its previous stance. The waybackmachine provides Hush's previous statements and we can observe the change in their commitment to privacy..
"What if my message is subpoenaed?"
"Hush will answer valid, court-issued subpoenas. However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version."
The trouble is _not_ with Hush answering "valid, court-issued subpoenas", that has always been a given. The problem lies the in second part of
the answer, "However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version." This important part is where
Hush has fundamentally changed its policy. They provided cleartext for emails which were encrypted using the Hush Encryption Engine.
Furthermore the previous question in the FAQ addresses this possibility:
"Does HushMail have a "back door" that can be accessed by government agencies?"
"No. Email, which includes attachments, sent between Hush users is completely encrypted."
This statement is no longer true. HushMail has admitted to and appears to stand by the policy of creating and running a "backdoor which can be accessed by government agencies". Additionally they state that there is a possibility that their Hush Encryption Engine Java applet could be compromised at the request of a government. This is no longer “search and seizure��? but active accomplice. Hush had to compromise their own systems to provide a method to obtain the cleartext. Code had to be written, tested and executed, that is active participation. Hush’s systems were not “hacked��? by an outside party, but they were “hacked��? by the administrators of the system. Unfortunately, Hush’s actions compromise to some extent the entire PGP system.
IMHO, their current actions are in complete contrast to not only their founding statements, but also to the spirit and tone of the entire open source encryption philosophy which was initiated by Phillip Zimmermann. Therein lies the betrayal, their new policy indicates a failure of principle. HushMail should redesign their system so that they can legally answer subpoenas but do not put themselves into compromising positions. Give us “permission to speak freely��? again.
Great post Rearden... Didn't Phillip Zimmermann help develop and reivew hushmails code and endorse it? I wonder what he has to say about his endorsement.
First of all - I love your books!
I am a Hushmail user and I've recently went with their premius service at 34.99 dollars. I am very happy with their suport service. Swift and frindly answers within a couple of hours alone make it worth paying for the service.
However, there are some things I am a little concerned about. Like for instance, why do not Hushmail encrypt incoming and sent unencrypted mail when it is stored on their server? It should be a piece of cake to implement that any unencrypted inbound and outbound mail at user account would be encrypted by the users public key when stored at Hushmails server or am I missing something here? This would make it more safe should Hushmails servers be hacked since I guess most mails that Hushmail users send and receive are in fact unencrypted.
Although I understand that a subpoena can be used to obtain information, it sounds here like the court was ordering Hushmail to perform affirmative prospective actions, such as setting up a sort of honey trap, monitoring it, and reporting back to the government. Can a court order that to a law-abiding, only incidentally involved party?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.