Wednesday, June 12, 2013

The Problem with Hushmail

Since the recent NSA spying story broke last week, the public's interest in protecting their communications has skyrocketed. Like never before, people are checking out technologies like encrypted emails. Several articles from well known publications have recommended moving our email away from providers like Gmail and AOL and to a provider called Hushmail.

Hushmail is a web based email system similar to Gmail, Yahoo Mail, and others that boasts the feature that all of your email is heavily encrypted and that nobody but you and your recipient will be able to read it.  They even mention that the mail is encrypted using GnuPG, the open source version of PGP  That all sounds right and fantastic but Hushmail isn't telling you the whole story - or at least not right up front without digging a little deeper. Because of what I consider a critical security flaw in the way Hushmail is designed, I strongly recommend that anyone concerned with their privacy not use the service at all.

How the Technology Works

When a user signs up for a new Hushmail account, the service uses GnuPG to create a new encryption "key pair" for them.  This system is known as "public key cryptography" and consists of two complete separate keys: a public key that you can give out to everyone and allows them to encrypt email to you, and a private key that you keep to yourself and allows you to decrypt messages sent to you and sign messages for authentication purposes.

From that point on, anytime you send a message to another Hushmail user, that message is automatically encrypted to their public key and in theory can only be read by them. If you send the message to a non-Hushmail user, Hushmail generates a message encryption key and the user must either click a link with the key in it or enter a password to read the message.

Sounds pretty sound. What's wrong with it?

As I mentioned a moment ago, your private key is what allows you to decrypt messages sent to your Hushmail address. In fact, your private key is the only thing that stops someone who doesn't have your Hushmail password from reading your emails.  In ordinary encryption setups, you would be the only person to possess your private key. If someone gets a hold on that key and can break the password on it, they can read email encrypted to you and sign email as if they were you.

Hushmail breaks security by keeping both your private and your public key on their servers. That means that, at all times, Hushmail has access to your private key, can decrypt your email, and could even, in the case of a malicious system administrator or hacker, even sign email as if they were you.

This, of course, also means that your email is not completely secure. You're not the only one in charge of your key. In fact, there are situations where Hushmail can (and has) handed over users private, encrypted, email to law enforcement during criminal investigations.

Your mail is not private on Hushmail! Anyone who can get access to the system can trivially gain access to your encrypted emails.

Anyone. Not just law enforcement or the government. Anyone.

What are the options to using Hushmail?

Unfortunately, there just aren't that many encrypted email providers out there that don't operate exactly in the way Hushmail does. If you truly want to secure your emails from everyone's prying eyes, I suggest you download and learn to use GnuPG and a few associated tools. If you learn GnuPG, you can even use Hushmail in a secure way where even they can't read your emails. The trick is always handling encryption yourself and never letting your private key out of your hands.

GnuPG isn't hard to use. It does have a slight learning curve but with a little patience anyone can learn to protect themselves and not worry about anyone having the ability to spy on their emails.

Tomorrow, we'll discuss setting these tools up and basic use.   

3 comments: said...


Eric said...

Version: GnuPG v1.4.11 (GNU/Linux)


Graham Oakman said...

Here is the great application for the task.