Norman EinsteinNovember 15, 2007 11:49 AM

Here in the US, the Constitution specifically allows law enforcement "search and seizure" with a specifically targeted warrant. That seems to be all that Hushmail is allowing. Works for me.

antimediaNovember 15, 2007 11:49 AM

It's been generally accepted practice throughout the world that, when presented with a court order, a company must comply with a government's demands. The Wired article is falsely alarmist, even calling the ability to decrypt a customer's emails due to a court order request to do so a "vulnerability", as if Hushmail's system is somehow hackable.

This is typical media alarmism.

Pat CahalanNovember 15, 2007 11:56 AM

Bruce is about a week behind on his current events blogging. I wonder what sort of interesting data you could build out of a traffic analysis of his blog postings?

vulnNovember 15, 2007 11:58 AM

It *is* a vulnerability.

If you're sending encrypted email, then you encrypt your plaintext using the recipient's public key, which Hushmail knows, but the recipient should be the only one to be able to decrypt it, as only he should have the corresponding private key: the decryption should be done on the recipient's local machine, by, eg, Javascript, and the key (or the plaintext) should never hit Hushmail's servers.

It therefore is a vulnerability.

Pat CahalanNovember 15, 2007 12:00 PM

@ Norman, antimedia

The fact that the company turned over the data isn't the interesting part about this article, they're just complying with the law.

The interesting part about this article is that a company that provides a service (user-encrypted mail) provides it in two ways, one of which (the browser option) enables the company to decrypt the mail. In this particular case, not everyone seemed to be aware of the functional difference.

It shows how hard it is for the un-technically savvy to judge outsourced security solutions; and how choosing convenience without judging the security implications can get you nailed.

RoyNovember 15, 2007 12:04 PM

This is criminal.

If you bought the service, believing the encryption and decryption would be done outside of Hushmail's reach, and then the service provider slipped in a gaff where they could watch your machine doing the encryption, and thus copying your key and plaintext, then they have committed criminal fraud and espionage.

Jail is the answer for them. And anyone who abused government authority to coerce them into committing crimes needs a long stretch in prison.

vedaalNovember 15, 2007 12:18 PM

what would happen,
if *theoretically*,
hushmail correspondents who were cryptosavvy, downloaded the hushmail public keys, and the hushmail encryption engine, and encrypted the messages on their own computers, using aes ,
and the hushmail encryption engine,
and then copied and pasted the encrypted messages into the hushmail window, and sent them,

how would hushmail explain to the authorities that they *couldn't* decrypt?

guvn'rNovember 15, 2007 12:46 PM

@vedaal, why complicate it with harvesting Hushmail's technology, why not just use GPG to encrypt manually and then copy and paste into Hushmail?

I thought the Hushmail responses in the dialogue with Kevin Poulsen were very lucid and honest about the limitations of their service implementation. They should be complimented.

Also thought it was noteworthy that the Hushmail CTO specifically cited Schneier's analysis of the limitations inherent in webmail encryption services, referencing in his correspondence with Kevin.

sooth_sayerNovember 15, 2007 12:51 PM

The news here is that lazy/stupid people get what they deserve.
If these people had used browsers based encryption they never would have the problem.

But stupid have a job to do; they have to prove Darwin right every day or we will face extinction.

dragonfrogNovember 15, 2007 1:38 PM


If you read the article, you'll note that what you describe as what _should_ happen, is also what hushmail recommends - you download a java applet from them, and the encryption happens on the client machine only. The server never sees your decrypted private key. (Crypto operations in javascript are theoretically possible, but I'd advise going out for a long coffee break when you hit "encrypt", because javascript was not designed for heavy lifting.)

There is also no-java option, for cases where you can't or don't wish to install java on the client machine. There the private-key operations happen on hushmail's servers. The fact that your mail could be decrypted in that case, if an attacker is in control of hushmail's servers at the time of encryption, is in fact documented in hushmail's comparison of the two options.

What hush did was to specifically "attack" (under court order) one user. This was possible because that user chose to use the no-java option.

I guess it would have been theoretically possible for them to send a specially-built java applet to that user, such that it would compromise his passphrase, so the same conditions apply.

Moral of the story:

(a) don't traffic internationally in steroids

(b) if you should ignore (a), don't rely on a browser pointed at a site you don't control absolutely for your crypto operations. Install software you can trust on your own machine, and perform all crypto there. If you want to actually resist attackers that are willing to expend a significant amount of intelligence-agency type effort on you, then

(b-1) never connect your crypto machine to the net. Transport ciphertext to and from the machine by sneakernet only.

(b-2) never use the machine where a hidden camera or tempest monitor can see the screen - pull a heavy blanket lined with metal mesh over your head.

(b-3) keep the machine secure enough that hardware keyloggers cannot be undetectably installed and retrieved. e.g. keep it in a safe, rigged so as to destroy the contents if safecracking is attempted.

Realistically, this is only feasible if you yourself have the resources of an intelligence agency. You will at this point probably have armed guards around the building housing your crypto machine.

SpiderNovember 15, 2007 1:57 PM


Concerning (b-1) use of sneaker net, do NOT rely on sneaker nets being absolutely secure. If you are using removable media, you could be infecting the encryption machine from the web connected one, via virus. I've actually seen that happen.

midiarNovember 15, 2007 3:08 PM

I think what is interesting about the story, is that Hushmail is turning over information according to a Canadian court order, like Yahoo! turned over information according to a Chinese court order.

Now I don't like the way the Chinese authorities behave, the reasons for their demanding information. I think they acted wrongly. But they are the government in that country. That is problematic.

dragonfrogNovember 15, 2007 3:30 PM


I like it! Seems to me you'd need a really clever multi-stage malware to recover the secret key. Something like this:

First compromise the network-connected machine. Then have it e.g. format removable media in a way that will exploit a filesystem mounting vulnerability in the offline crypto machine, yet that will not disrupt operation of the online machine.

The payload of the filesystem attack would have to be the really clever part. It would have to

- monitor file accesses to find any PGP keys

- monitor keystrokes to recover passphrases

- record the keystroke log, and any keypairs found, back to the removable media, in a way that is hidden from the user (possibly re-mangling the filesystem). It probably couldn't dump any files accessed, unless the removable media was rather large, so it would have to parse them in situ.

Your network-attached machine would then analyze each inserted disk to see if the prize has dropped, and transmit it off to attacker HQ.

DaleNovember 15, 2007 4:22 PM

Uh, Hushmail turning over data is not news from a crypto standpoint. However, it is yet another reminder one still has to apply common sense with such security services:

If a warrant can get the information divulged, so can:
- Counterfeit warrants
- Warrantless requests for data
- An internal malcontent
- An honest (internal) mistake

vedaalNovember 15, 2007 4:26 PM

@ guvn'r

" ... why not just use GPG to encrypt manually and then copy and paste into Hushmail? ... "

gnupg and pgp and hushmail, each form their public key encryption packets differently,
and can often be distinguished by just 'looking' at the beginning of the ascii armor

gnupg encrypted messages 'always' begin with an 'h'

pgp encrypted messages begin with a 'q'
for v4 keys (rsa and dh),
and begin with an 'h' for v3 keys

hushmail 'never' begins with either an 'h' or a 'q'
(i think it starts with a 'w',
but can't swear to it,
as i don't use hushmail encryption,

i use gnupg and paste it in ;-) )

Norman EinsteinNovember 15, 2007 5:37 PM

> Hushmail is turning over information
> according to a Canadian court order,
> like Yahoo! turned over information
> according to a Chinese court order.

Are you saying that Yahoo's complicity in imprisoning political activists in China is morally equivalent to Hushmail helping Canadians prosecute drug dealers?

DisappointedNovember 15, 2007 6:39 PM

I'm not happy with them after hearing this. I feel a bit misled. I may have to search for someone a bit more private, I guess.

Matt from CTNovember 15, 2007 9:32 PM

Can the Hushmail java client be installed on read only media, say a bootable CD-ROM? That would get around concerns of a future "wiretapping" of the Java applet (I would think...)

AnonydudeNovember 15, 2007 9:49 PM

Perhaps this is a tangent, and if it is, I apologize.

The point of encrypted email isn't to give you cover for illegal activity. And all of that anonymous murder contract stuff they used to talk about on cypherpunks is bs.

The point of encryption is to give you privacy from people in your life, who might be poking around.

And the other point is to make surveillance difficult and expensive, so the massive and widespread dragnets the government is doing now are impossible.

But people tend to exaggerate the stakes on either side.

On the cypherpunk side, they talked about nations falling and how people could put out murder contracts without consequences.

On the paranoid cop side, they say, if we have encryption, the world will end, and child pornographers and terrorists will run amok!

The truth is that they can always get you if they want you, if only by coming into your home and putting a keystroke logger on your keyboard. Encryption just makes that easedropping expensive, and therefore rare.

So people who use hushmail to break the law -- surprise! It's not going to work.

And to people who say ban encryption, because we have no protection from it -- this puts the lie to that claim, doesn't it? Because they can get around it if they want to.

PaeniteoNovember 16, 2007 3:04 AM

It boils down to the simple fact that it is fatal if a third party gains control over your private key.

DBHNovember 16, 2007 7:25 AM

I think the terms of use are fair, and the requirements for specific targetted subpoenas are fair. If Hush wanted to dodge the 'different java app' problem however, it could download the app to a machine BEFORE it asked for username/password. Since the TOS say they will only comply with a specific warrent, then the app downloaded (and visibe by inspection) will have to be clean.

Of course, in the end, there is still some trust.

I use PGP now, but I seem to remember that PGP and Hush could interoperate?

DBHNovember 16, 2007 7:30 AM

Re: B-1

So net connected machine would have to print out the ciphertext. Then OCR it into the decryption machine. Media could be used going the other way, but even there one could imagine a bootsector virus being planted on the media, one that would survive maybe prinouts going both ways. Then BOTH machines have to be in the faraday cage...

HarryNovember 16, 2007 7:51 AM

Dale says:
"If a warrant can get the information divulged, so can:
- Counterfeit warrants
- Warrantless requests for data
- An internal malcontent
- An honest (internal) mistake"

The last two apply even if the company is immune from warrants.

AnonymousNovember 16, 2007 8:59 AM

@Anonydude, encrypted email might have kept Karen Silkwood from having to drive that night...

midiarNovember 16, 2007 9:59 AM

> Are you saying that Yahoo's complicity
> in imprisoning political activists in China
> is morally equivalent to Hushmail
> helping Canadians prosecute drug
> dealers?

No, I stated that both governments are going after what they regard as criminals. That is a troublesome parallel, and I think it takes strength and creativity to both do business and protect the activists.

What if Hushmail was required to break into the account of someone using marijuana as medicine? That is considered an appropriate use by some. Activists, you might call them.

Sorry, this is straying way off the technical focus.

Kadin2048November 16, 2007 12:00 PM

I looked into Hushmail a while back as a possible "best practice" example of letting unsophisticated users do encrypted email.

I was disappointed. Doing public-key message encryption *on the server* is a huge vulnerability. It throws away the ENTIRE security model. If you don't do the encryption on your local machine, you have no idea where the plaintext is going to go, or who's going to read it.

It's not like it would be hard for them to fix this. There are GPG implementations in Javascript that work completely on the browser side. If they used these, their customers' data would be more secure, and they wouldn't be put in the position of having to sacrifice their reputation (privacy, security) in order to comply with court orders. They would be able to legitimately turn over everything they had to authorities, because *everything* would be encrypted.

One example of GPG in Javascript (also see URL):

tathyractNovember 16, 2007 1:20 PM

If using Tor with Java enabled, a user's IP address can be visible. So I wonder whether a Tor user who enables Java for Hushmail is revealing his IP address, which might be used to identify him, to Hushmail. Even if messages are encrypted, the identities of correspondents might be of interest to investigative or surveillance agencies.

AlsoAnonymousNovember 16, 2007 1:31 PM

Every web-based service is going to be subject to this sort of thing, no matter how fancy they get with JavaScript. If they can be compelled to capture a passphrase on the server-side, where's the line that says they can't be compelled to alter the JavaScript or Java - even if just for that particular user - and send up the passphrase on an Ajax call? Sure the user could check the JavaScript, but what user is going to check the JavaScript every time? If the JavaScript or Java is pulled down before they have the username, what's to say they don't just bypass the originally downloaded code once the username is known?

If you are pulling down the software every time from a website, you will always be vulnerable to whoever controls that website unless you intend to reverse engineer the whole thing every time you log in, and that's just not realistic. If you're going through that much trouble, you're technical enough to use GPG.

When posting ideas on how to make a web-based service "more secure" people are often missing the point that web-based services have a fundamentally different security model than client-installed software. Hushmail may be very secure for a web-based service, but it can only be as secure as a web-based service can be.

hugoNovember 17, 2007 10:47 AM

Is it possible to do a checksum of a java applet locally? Like with a greasemonkey script? You could carry the script around with your portable firefox, the checksum of the "real deal" contained in the script. That would give you a way to check wether you are really encrypting locally, or not. Then again, you could possibly carry the Java applet around with you, and use your local one and not the one sent by hushmail.
For me, the only reason to use hushmail would be to have cryptod e-mail on the go, away from my computer. So any fix to this has to be portable, as well. Any comments?

Another question - in how far could a TOR exit node be an attack tool against a hushmail user?

SteveJNovember 19, 2007 5:58 AM

> For me, the only reason to use hushmail would be to have cryptod e-mail on the go, away from my computer. So any fix to this has to be portable, as well. Any comments?

Just one: be especially cautious with crypto on the go, away from your computer.

One of the assumptions you make when doing crypto is that the machine in front of you really is running the code you think it's running, and that nobody else is snooping its memory while it does so, etc.

This is not a completely unreasonable assumption if the computer is yours (although it's by no means a certainty - your PC might have been compromised remotely, ninjas might have broken into your home and interfered with the hardware, the original hardware supplier might not be trustworthy, etc).

For a computer on the go, it's not a very reasonable assumption at all. A friend's PC, ok. A public terminal, not ok. It's almost certainly riddled with malware (at least, malicious from your POV), and that's just what the owner puts on it deliberately...

Hushmail might prevent interception on the wire, but you can achieve the same by both parties using (say) gmail over SSL. In either case you have to trust the terminal and the email provider, but not the intervening network. Obviously SSL is crypto, but it's probably best not to think of either setup as being "cryptod email".

I'm not saying don't do it - I am saying don't think of it as being like using crypto on a machine you trust.

SteveJNovember 19, 2007 8:23 AM

> how far could a TOR exit node be an attack tool against a hushmail user?

My initial assessment is "not at all".

Hushmail uses encryption between your machine and hushmail's own servers. A TOR exit node can only read unencrypted traffic passing through it.

TOR is basically no different from your ISP's routers, except that:

1) Your ISP has the full route of the traffic, whereas the TOR exit node only knows where a packet is going to, not where it originated.

2) Your ISP is a registered corporation, whereas a TOR exit node is (on balance of probability) run by some dodgy hacker, criminal, or covert government operation. Your call as to which of those is more trustworthy :-)

Basically, the famous exploit of TOR to gain passwords came about because those passwords were going *unencrypted* over TOR. Using TOR is no different from using an open wireless access point: you must assume that anyone can read your traffic. Hushmail, like other end-to-end encryption protocols, is designed with this in mind, and counters it.

Hushmail's "threat matrix" at the bottom of this page:

looks to me like a reasonable attempt to explain the situation. Assuming it's factually correct, of course.

SteveJNovember 19, 2007 8:26 AM

Actually, you can leave the PHPSESSID off the end of that url. I have no idea how confused their server will get if you don't and it thinks that session has expired. Sorry. Hushmail's site is avoiding setting a cookie, for reasons best known to itself.

Bror E StohrNovember 20, 2007 5:43 AM

With the information at hand, it is difficult to see any justification at all for Hushmail. If you use their webmail, you have no effective security as evidenced by recent events. If you do the sensible thing and encrypt off-line, there is no compelling reason to use Hushmail. There are many services that offer secured POP/IMAP access to accounts that can be opened anonymously. Hushmail is apparently nothing more than a normal email provider, that uses misleading marketing hype to give it's customers a false sense of security and justify overcharging for the service.

They market themselves as offering security and privacy: "Hushmail keeps your on-line communications private and secure." In fact, they evidently have no commitment to privacy and security whatsoever.

1. They have known about the security flaw in their service, at least since Bruce published it in 1999, but have done nothing rectify this, to prevent exploitation by technical and/or legal solutions or to clearly inform its clients about the potential risk.

2. They do not appear to have put up any fight before going to the extent of not only handing out data, but actually hacking their own system and facilitating spying on their customers. I am amazed that a court order could effectively even be that specific.

3. They have not chosen a legal structure that offers any real protection against potential government abuse. Multi-jurisdiction solutions, a web of service/management agreements in conjunction with a compartmentalized organisational structure of special purpose entities would virtually exclude effective court orders, and is nowhere near as difficult or costly as it might seem to someone without experience in this area of legal structuring. In order to offer credible privacy and security to an internationally diversified clientèle, such a structure should be considered a pre-requisite.

Should Hushmail be expected to protect criminals? Hushmail should be expected to provide security and privacy in a way that excludes them from accessing and deciphering client data. If they can do it by court order, they can do it by negligence, vulnerability, internal abuse or malice.

Furthermore, what constitutes a crime and defines a criminal? In some places, it is a crime to believe in free speech, to be born by the wrong parents or to believe in the wrong deity. In some places, petty crime is punished with disproportional harshness. In some places, democracy is abused by powerful industry lobbies that unduly manipulate politicians to disregard constitutional rights and legislate to the detriment of its citizens under a cloud of fear mongery and lies...

A service making the claims that Hushmail makes should be neutral to potentially arbitrary definitions of crime. It should neither protect nor condemn criminals. It should not have any ability whatsoever to actively do either.

Canada might seem like a safe democracy today (to some...) but what if tomorrow all that pent up rage and aggression that lurks under the clever guise of harmless feebleness is unleashed into a totalitarian regime and a subsequent full scale attack on the US, or the French Minority? (Not that either might not be desirable and long overdue.) What kind of court orders would the Canadian courts issue then?

Someone noted the appropriateness of Hushmail not protecting "drug dealers". Well, think about it, we don't know if the people in question might be drug dealers or not. They certainly are not accused of drug dealing in the meaning of selling narcotics, they are accused of illegally selling steroids as far as I can tell. Selling steroids is legal in some places and illegal in others. The proper use of steroids is not unsafe and the potential damage from abuse is typically non-lethal, rarely recorded and contained to self infliction. Certainly the uncommon abuse of steroids is considerably less harmful to society than the everyday abuse of guns, cars, cigarettes or alcohol, the selling of which is perfectly legal. Not to in any way protect the accused, who may for all we know be despicable individuals, but to illustrate the difficulty to make objective moral calls on alleged crime and potential guilt.

ReardenNovember 20, 2007 10:22 AM

The problem with HushMail's current activities is that it is a fundamental departure from its previous stance. The waybackmachine provides Hush's previous statements and we can observe the change in their commitment to privacy..
"What if my message is subpoenaed?"

"Hush will answer valid, court-issued subpoenas. However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version."

The trouble is _not_ with Hush answering "valid, court-issued subpoenas", that has always been a given. The problem lies the in second part of
the answer, "However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version." This important part is where
Hush has fundamentally changed its policy. They provided cleartext for emails which were encrypted using the Hush Encryption Engine.

Furthermore the previous question in the FAQ addresses this possibility:
"Does HushMail have a "back door" that can be accessed by government agencies?"

"No. Email, which includes attachments, sent between Hush users is completely encrypted."

This statement is no longer true. HushMail has admitted to and appears to stand by the policy of creating and running a "backdoor which can be accessed by government agencies". Additionally they state that there is a possibility that their Hush Encryption Engine Java applet could be compromised at the request of a government. This is no longer “search and seizure��? but active accomplice. Hush had to compromise their own systems to provide a method to obtain the cleartext. Code had to be written, tested and executed, that is active participation. Hush’s systems were not “hacked��? by an outside party, but they were “hacked��? by the administrators of the system. Unfortunately, Hush’s actions compromise to some extent the entire PGP system.

IMHO, their current actions are in complete contrast to not only their founding statements, but also to the spirit and tone of the entire open source encryption philosophy which was initiated by Phillip Zimmermann. Therein lies the betrayal, their new policy indicates a failure of principle. HushMail should redesign their system so that they can legally answer subpoenas but do not put themselves into compromising positions. Give us “permission to speak freely��? again.

BobSmithDecember 12, 2007 11:55 PM

Great post Rearden... Didn't Phillip Zimmermann help develop and reivew hushmails code and endorse it? I wonder what he has to say about his endorsement.

KakmonstretJanuary 23, 2010 1:41 PM

Hi Bruce!

First of all - I love your books!

I am a Hushmail user and I've recently went with their premius service at 34.99 dollars. I am very happy with their suport service. Swift and frindly answers within a couple of hours alone make it worth paying for the service.

However, there are some things I am a little concerned about. Like for instance, why do not Hushmail encrypt incoming and sent unencrypted mail when it is stored on their server? It should be a piece of cake to implement that any unencrypted inbound and outbound mail at user account would be encrypted by the users public key when stored at Hushmails server or am I missing something here? This would make it more safe should Hushmails servers be hacked since I guess most mails that Hushmail users send and receive are in fact unencrypted.

Best regards


TorvidMarch 8, 2012 12:26 AM

Although I understand that a subpoena can be used to obtain information, it sounds here like the court was ordering Hushmail to perform affirmative prospective actions, such as setting up a sort of honey trap, monitoring it, and reporting back to the government. Can a court order that to a law-abiding, only incidentally involved party?

AdeSeptember 16, 2014 3:06 PM

I don't see the problem
surely all we need is a client side app using public private key that will encrypt plain text before we email it.
Then it doesn't matter if the email service provider peeks into our email box or sends it to the NSA because it's all encrypted.
And the only one who can un encrypt it is the receiver.

So I want to send you an email, I find your Public key, encode my plain text using it, send it to you etc etc you all know how public private key works, all the email service provider is holding is cyphertext.

I don't see why we are still having this problem.

Random AlSeptember 16, 2014 4:03 PM


surely all we need is a client side app using public private key that will encrypt plain text before we email it.
Then it doesn't matter if the email service provider peeks into our email box or sends it to the NSA because it's all encrypted.
And the only one who can un encrypt it is the receiver.

In the scenario you describe you also have to make sure that the email is also saved in encrypted format. If you are using a browser-based interface to send your emails then your privacy tool must have some level of control of the save process. And not just at the point of hitting "Send", as some email service providers save draft copies of your emails every so many minutes.

If you can read the email text in a browser-based email system, chances are that it will exist in human-readable format also in some background DB.

Nick PSeptember 16, 2014 9:29 PM

And MyKolab, which I use for now. My position is to still consider the provider untrusted. To me, they're just a step up from Gmail or Yahoo as they're a centralized service with promises in a country that mandates they try to keep them. Sensitive emails should still be sent encrypted via highly assured devices if the Internet is the transmission medium.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.