Hushmail To Warn Users of Law Enforcement Backdoor

Hushmail To Warn Users of Law Enforcement Backdoor
Hushmail To Warn Users of Law Enforcement Backdoor 

By Ryan Singel
November 19, 2007

Hushmail, the web's leading provider of encrypted web mail, updated its 
explanation of its security model, confirming a THREAT LEVEL report that 
the company can and will eavesdrop on its users when presented with a 
court order, even if the targets uses the company's vaunted Java applet 
that does all the encryption and decryption in a browser.

As THREAT LEVEL reported earlier this month, Hushmail provided 12 CDs of 
emails in June to U.S. officials targeting steriod manufacturers. But 
Hushmail promises users that "not even a Hushmail employee with access 
to our servers can read your encrypted e-mail, since each message is 
uniquely encoded before it leaves your computer."

Hushmail responds only to court orders from the Supreme Court of British 
Columbia that target specific, named accounts, according to Hushmail's 
CTO Brian Smith. In the steriod case, the Drug Enforcement Agency used a 
mutual legal assistance treaty to get a Canadian court order, according 
to court documents.

But when the company gets a court order, "we are required to do 
everything in our power to comply with the law," according to an updated 
explanation of Hushmail's security.

That everything seems to include sending a rogue Java applet to targeted 
users that will then report the user's passphrase back to Hushmail, thus 
giving the feds access to all stored emails and any future emails sent 
or received.

The Canadian email provider offers two options for its users. One method 
works nearly identically to typical webmail, with the exception that the 
company's Encryption Engine, encrypts and decrpyts messages that go to 
or from other Hushmail users (or to people who use PGP or GPG running on 
their own computers). In that service, Hushmail's servers briefly see 
the passphrase that unlocks a user's emails, but normally does not store 

A second option sends the Encryption Engine to a user's browser as a 
Java applet. That method, where the encryption and decryption of email 
is done in the browser and the passphrase never leaves the user's 
computer, was widely presumed to be much safer than the webcentric 

But Hushmail's update of their website and a statement made to THREAT 
LEVEL by Smith make clear that Hushmail will compromise that applet when 
served with a court order.

    When one Hushmail users sends an email to another Hushmail user, the 
    body and attachments of that email are kept on our server in 
    encrypted form, and under normal circumstances, we would have no 
    access to that data. However, since Hushmail is a web-based service, 
    the software that performs the encryption either resides on or is 
    delivered by our servers. That means that there is no guarantee that 
    we will not be compelled, under a court order issued by the Supreme 
    Court of British Columbia, Canada, to treat a user named in a court 
    order differently, and compromise that user's privacy. (emphasis 

In an earlier conversation, Smith told THREAT LEVEL that using the Java 
applet would not help a person targeted by law enforcement.

    The extra security given by the Java applet is not particularly 
    relevant, in the practical sense, if an individual account is 

The site also recommends that anyone engaged in illegal behavior or 
"activity that might result in a court order issued by the Supreme Court 
of British Columbia" not rely on Hushmail to hide their activities.

As for other encrypted email solutions, Hushmail has this to say about 
GnuPG and PGP Desktop.

    PGP Desktop and GnuPG are not web-based services. They install as 
    software on your computer. Installed software is different from a 
    web-based service in that you don't rely on the owner of the website 
    to run the software correctly. You take on that responsibility 
    yourself. If used correctly, both PGP and GnuPG can provide an 
    extremely high level of security. When choosing your security 
    solution, carefully weigh the convenience and ease-of-use of 
    Hushmail against the inherent limitations of a web-based service.

Hushmail's CTO Brian Smith deserves credit for his candor and his 
continued frank responses to THREAT LEVEL. I would like to stress that 
we are not reporting that Hushmail is a scam of any sort. We are simply 
reporting that the company can and does turn over emails when given a 
court order, regardless of which Hushmail flavor a person may use -- 
something that the company did not clearly disclose to its customers.

Visit InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods