Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Are Secure 'Freemail` Services Secure?

By sil in Internet
Wed Dec 27, 2000 at 04:30:46 PM EST
Tags: Security (all tags)
Security

During a recent discussion with a friend about freemail based services, security leaped into the conversation in which the thought of secure based email services were more trustworthy than PGP and a personal mail server. Well here were my two cents on the issue.



Privacy and security seem to be of the upmost concern regarding sending and receiving e-mail, and the possibility of someone snooping in on whatever it is your sending should always be kept in mind. One should not have to worry about whether someone will read your e-mail no matter what is said on the message be it a simple hello to something damaging.

People have a tendency to sideswipe issues when it comes to security at times and this is a major problem surrounding security. Not being able to dissect in detail the entire situation and what is really taking place on third party networks could pose as much threat as anyone poised to intrude a network in order snoop your e-mail information.

Upon looking at services such as the one provided by Hushmail, which I will say is somewhat good on some occassions, I do have to point out some things which may fall through the cracks of the minds of those with accounts on Hushmail.

Judging by their read-me's, FAQ's and overall common knowledge of the security scene, its sort of shameful to know that there are people who think this is "it", the "secure" method of not having their info breached.

Truth of the matter is its only a step.

In order to fully use Hushmail's so called security the parties who are sending e-mail and those who are set to receive e-mail are the only benefactors to Hushmail's services. This means that anything sent from a non-Hushmail account is up for grabs and anything sent from Hushmail to a non Hushmail account is also up for grabs.

Sure they post generous information about their security and how great their services are, but I doubt the majority of its users fully understand that this does not perpetuate total security. of their e-mail.

A sample scenario would be say, two users collaborated on say killing someone or, to make this simpler, intruding into a network. We'll say USER1 has some-random-username@hushmail.com and the other violator we'll call USER2 is using another-random-username@hotmail.com, each corresponding about their activities to one another (damaging info).

Any mail sent between the two is not encrypted and I am almost sure many of the users of Hushmail think it is. Any of these e-mail from USER1 to USER2 and vice-versa does not fall in compliance with the so called "security" services offered by Hushmail at any point.

If it was USER2 who had the account another-random-user@hushmail.com then the messages would be encrypted according to all the information gathered on Hushmail's website, which falls into the category they mean when they say secure e-mail.

So for all of those thinking you've stumbled upon the next best thing to PGP... Think again.

According to Hushmail's help page:

What if my message is subpoenaed?

Hush will answer valid, court-issued subpoenas. However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version.

So what this means is anyone with a non Hushmail account who has ever sent you any damaging information, can be held liable for it, and information can be subpoenaed at any given time. I guess all those script kiddiot defacers who left their Hushmail addresses will be in for a suprise when someone comes knocking at their doors.

Very true log files do not hold much validity with the Hearsay Rule and all and besides log files can be manipulated at will, but just think of that arguement. Hushmail is a security based company so I'm sure they've done their homework and I'm sure their log records are as good as gold in a court of law so that the <a href=http://www.usdoj.gov:80/criminal/cybercrime/search_docs/sect8.htm">Hearsay Rule becomes voided.

I won't get into arguements about proxy servers and how "elite" you may think you are using proxies, if your going to do something, do it the right way.

Sigaba.com seems to offer some pretty neat features in fact it follows suit to Hushmail, except it allows you to modify a lot more options regarding the e-mail such as the time frame the recipient has to read the e-mail, etc. But again it is not fool proof.

I won't do a whole collegiate research paper on this and besides, it so far is only Windows based so it does nothing for me at this point.

Factors one should think about at any costs should be integrity and the reliability that users SHOULD NOT feel comfortable with when using these services anyhow.

Why shouldn't you? Well we're all human and you don't really know what's behind the other end of services such as these and who's to say some bored to death admin just doesn't decide to do some snooping for some reason? It could happen. Sure it wouldn't hold ground for legal action but the whole thought of trust, integrity and security just went down the drain in a situation like that.

PGP (GPG) may have issues which are minimal compared to these services and I would rather create 120 day keys until I was blue in the face knowing that the integrity on my own machines cannot be jeopardized in comparison to these so called "secure" services at any time.

Simplicity, create two keys on two separate machines sign a message to someone with both keys and their own key giving you a three tiered level of protection as opposed to some SSL based, overhyped services such as Hushmail and Sigaba. After all you are your own best friend.

sil@antioffline.com

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Hushmail.
o Hushmail's
o Hushmail
o Hearsay Rule
o proxies
o Sigaba.com
o Sigaba
o Also by sil


Display: Sort:
Are Secure 'Freemail` Services Secure? | 8 comments (3 topical, 5 editorial, 0 hidden)
Use type II cypherpunk remailers (4.50 / 2) (#4)
by techt on Wed Dec 27, 2000 at 08:53:45 AM EST

If one requires anonymity in the sending of some messages, one should use the cypherpunk type II remailers[1]. Currently, there is the older Mixmaster version 2.0.3 remailer released Nov 27, 1995, and the newer Mixmaster version 3 preview (2.9.beta23 is the current version at the time of this posting.) Although I haven't had any problems, the newer Mixmaster is beta so use it at your own risk.

US users can obtain the older version 2.0.3 remailer software from <http://www.obscura.com/crypto.html>. I don't know where to obtain the older version from outside the USA. It used to be hosted at <ftp://utopia.hacktic.nl/pub/replay/pub/> but it doesn't appear to be there anymore. The version 3 preview releases can be obtained world-wide by ftp from <ftp://mixmaster.anonymizer.com/> (hosted in Germany.)

There is a mailing list for users of the Mixmaster software hosted by egoups.com. Most messages in this group seem primarily focused on the version 3 preview releases.

If you need to receive replies to your (pseudo)anonymous e-mails, one can get a pseudonym from the nymserver at alias.net (not truly anonymous) or, for much more security, have all replies sent to <news:alt.anonymous.messages> preferably in encrypted form. In the latter case, you'd have to have read access to that group, of course. I've never gotten a pseudonym myself since I've never needed one, but instructions to do so can be found by mailing an empty message to help at nym.alias.net with the subject of "help".

[1] Type II remailers are resistant to certain attacks on type I remailers, such as pattern/traffic analysis. See the essay "Mixmaster & Remailer Attacks".


--
Proud member of the Electronic Frontier Foundation!
Are You? http://www.eff.org/support/joineff.html
Bruce Schneier, Hushmail and this article (5.00 / 1) (#6)
by Pac on Wed Dec 27, 2000 at 10:46:08 AM EST

In 1999, Bruce Schneier wrote some lines about Hushmail and other encrypted webmail initiatives. Bruce identified three basic weak points in Hushmail, the passphrase (if it is weak then - but only then, mind you - your "bored to death admin" would be able to have some fun), the encryption applet(how to make sure it is not a Trojan and that it is really secure) and the server location (Canada, a place where "legal attacks" are more likely to occur than in some other places).

HUshmail team answered , clarifying some points and even agreeing with others. They also comment on the comparison between Hushmail and PGP.

The article here has some logical problems. You complain that two users must both use the service to have a secure email conversation and then goes on to describe a very unlikely situation where a supposedly technically savvy criminal fail to notice this fairly large "detail". This is not only unlikely, it also does not prove anything.

I also fail to see why you think PGP would be any more secure for users who can not read and/or understand Hushmail's FAQ. PGP is probably far more difficult to use and understand for the average user.

Your discussion of a legal attack on Hushmail is also based on the presumption that the there are plain text secret's jumping around.

I will not say Hushmail is " next best thing to PGP", but I certanly disagree with an article that presents fake problems to such a service. I certanly agree that they should do everything on their reach to educate and inform their users (and you even imply they do). But this efforts have a limit. Somewhere along the line you must give up trying to stop the naive user from getting hurt and give attention to the core users, who have real needs and problems to be addressed.

The alternative is to blame Phil Zimmermann everytime someone chooses his/her birthday as a PGP passphrase.


Evolution doesn't take prisoners


oh well (none / 0) (#8)
by camadas on Wed Dec 27, 2000 at 07:22:10 PM EST

I've an hushmail account, and thought you're going to say something I didn't know already. I don't think the typical hushmail user is not as dumb as the hotmail user, and has read the FAQ and knows the conditions. PGP/GPG are all a marveleous thing, but imagine your girlfriend goes abroad, and you don't know nothing about what systems, in what conditions and with what previlegies she'll be using to reach you by mail. IMHO, a web based solution through SSL, with all the right "pragma=no-cache" is perfect. Not all of us are criminal or trying to hide our identity, just sometimes we need special conditions to send messages.

Are Secure 'Freemail` Services Secure? | 8 comments (3 topical, 5 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!