Hushmail

Last updated
Hushmail
Type of site
Webmail
HeadquartersVancouver, British Columbia, Canada
OwnerHush Communications Ltd
Created byCliff Baltzley
URL Hushmail.com
CommercialYes
RegistrationRequired
Launched1999
Current statusOnline
Content license
Proprietary

Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada. [1] [2]

Contents

History

Hushmail was founded by Cliff Baltzley in 1999 after he left Ultimate Privacy.

Accounts

Individuals

There is one type of paid account, Hushmail for Personal Use, which provides 10GB of storage, as well as IMAP and POP3 service. [3]

Businesses

The standard business account provides the same features as the paid individual account, plus other features like vanity domain, email forwarding, catch-all email, user admin, archive, and Business Associate Agreements for healthcare plans. Features like secure forms and electronic signatures are available in specific plans. [4] [5] [6]

Additional security features include hidden IP addresses in e-mail headers, two-step verification [7] and HIPAA-compliant encryption. [8]

Instant messaging

An instant messaging service, Hush Messenger, was offered until July 1, 2011. [9]

Compromises to email privacy

Hushmail received favorable reviews in the press. [10] [11] It was believed that possible threats, such as demands from the legal system to reveal the content of traffic through the system, were not imminent in Canada unlike the United States and that if data were to be handed over, encrypted messages would be available only in encrypted form.

Developments in November 2007 led to doubts amongst security-conscious users about Hushmail's security specifically, concern over a backdoor. The issue originated with the non-Java version of the Hush system. It performed the encrypt/decrypt steps on Hush's servers, and then used SSL to transmit the data to the user. The data is available as cleartext during this small window of time, with the passphrase being capturable at this point, facilitating the decryption of all stored messages and future messages using this passphrase. Hushmail stated that the Java version is also vulnerable, in that they may be compelled to deliver a compromised Java applet to a user. [12] [13]

Hushmail supplied cleartext copies of private email messages associated with several addresses at the request of law enforcement agencies under a Mutual Legal Assistance Treaty with the United States: [12] e.g. in the case of United States v. Stumbo . [12] [13] [14] In addition, the contents of emails between Hushmail addresses were analyzed, and 12 CDs were supplied to U.S. authorities. Hushmail privacy policy states that it logs IP addresses in order "to analyze market trends, gather broad demographic information, and prevent abuse of our services." [15]

Hush Communications, the company that provides Hushmail, states that it will not release any user data without a court order from the Supreme Court of British Columbia, Canada and that other countries seeking access to user data must apply to the government of Canada via an applicable Mutual Legal Assistance Treaty. [13] Hushmail states, "...that means that there is no guarantee that we will not be compelled, under a court order issued by the Supreme Court of British Columbia, Canada, to treat a user named in a court order differently, and compromise that user's privacy" and "[...]if a court order has been issued by the Supreme Court of British Columbia compelling us to reveal the content of your encrypted email, the "attacker" could be Hush Communications, the actual service provider." [16]

See also

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

S/MIME is a standard for public-key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFC 8551. It was originally developed by RSA Data Security, and the original specification used the IETF MIME specification with the de facto industry standard PKCS #7 secure message format. Change control to S/MIME has since been vested in the IETF, and the specification is now layered on Cryptographic Message Syntax (CMS), an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them. Since it is built on CMS, MIME can also hold an advanced digital signature.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one else, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Because no third parties can decipher the data being communicated or stored, for example, companies that provide end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.

Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.

<span class="mw-page-title-main">Roundcube</span> Open-source web-based IMAP email client

Roundcube is a web-based IMAP email client. Roundcube's most prominent feature is the pervasive use of Ajax technology. Roundcube is free and open-source software subject to the terms of the GNU General Public License (GPL-3.0-or-later), with exceptions for skins and plugins.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

Secure messaging is a server-based approach to protect sensitive data when sent beyond the corporate borders, and it provides compliance with industry regulations such as HIPAA, GLBA and SOX. Advantages over classical secure e-mail are that confidential and authenticated exchanges can be started immediately by any internet user worldwide since there is no requirement to install any software nor to obtain or to distribute cryptographic keys beforehand. Secure messages provide non-repudiation as the recipients are personally identified and transactions are logged by the secure email platform.

Invisible mail, also referred to as iMail, i-mail or Bote mail, is a method of exchanging digital messages from an author to one or more recipients in a secure and untraceable way. It is an open protocol and its java implementation (I2P-Bote) is free and open-source software, licensed under the GPLv3.

<span class="mw-page-title-main">Mailpile</span>

Mailpile is a free and open-source email client with the main focus of privacy and usability. It is a webmail client, albeit one run from the user's computer, as a downloaded program launched as a local website.

<span class="mw-page-title-main">Proton Mail</span> End-to-end encrypted email service

Proton Mail is a Swiss end-to-end encrypted email service founded in 2013 headquartered in Plan-les-Ouates, Switzerland. It uses client-side encryption to protect email content and user data before they are sent to Proton Mail servers, unlike other common email providers such as Gmail and Outlook.com. The service can be accessed through a webmail client, the Tor network, Windows, macOS and Linux (beta) desktop apps and iOS and Android apps.

<span class="mw-page-title-main">Threema</span> Instant messaging smartphone service

Threema is a paid cross-platform encrypted instant messaging app developed by Threema GmbH in Switzerland and launched in 2012. The service operates on a decentralized architecture and offers end-to-end encryption. Users can make voice and video calls, send photos, files, and voice notes, share locations, and make groups. Unlike many other popular secure messaging apps, Threema does not require phone numbers or email addresses for registration, only a one-time purchase that can be paid via an app store or anonymously with Bitcoin or cash.

<span class="mw-page-title-main">Mailvelope</span> Browser extension for OpenPGP encryption with webmail services

Mailvelope is free software for end-to-end encryption of email traffic inside of a web browser that integrates itself into existing webmail applications. It can be used to encrypt and sign electronic messages, including attached files, without the use of a separate, native email client using the OpenPGP standard.

<span class="mw-page-title-main">Mailfence</span> Encrypted email service

Mailfence is secure encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by Belgium-based company ContactOffice Group that has been operating an online collaboration suite since 1999.

Autocrypt is a cryptographic protocol for email clients aiming to simplify key exchange and enabling encryption. Version 1.0 of the Autocrypt specification was released in December 2017 and makes no attempt to protect against MITM attacks. It is implemented on top of OpenPGP replacing its complex key management by fully automated exchange of cryptographic keys between peers.

<span class="mw-page-title-main">EFAIL</span> Email security vulnerability

Efail, also written EFAIL, is a security hole in email systems with which content can be transmitted in encrypted form. This gap allows attackers to access the decrypted content of an email if it contains active content like HTML or JavaScript, or if loading of external content has been enabled in the client. Affected email clients include Gmail, Apple Mail, and Microsoft Outlook.

In cryptography, a padded uniform random blob or PURB is a discipline for encrypted data formats designed to minimize unintended information leakage either from its encryption format metadata or from its total length.

<span class="mw-page-title-main">Skiff (email service)</span> Email service and collaboration suite

Skiff is an email service startup company and collaboration tool, that provides privacy-friendly end-to-end encrypted Email and Cloud services. The company's commercial strategy is focused in offering to its clients a Source-Available or Open-Source, transparent and audited Email, Calendar, and Cloud Storage services without trackers or advertisements.

mailbox.org Encrypted email and web service provider in Germany

mailbox.org is an encrypted email service provider based in Germany. The encryption system uses PGP like most other encrypted email providers. It also features address books, calendars, video conferencing, online office and tasks management. It competes against Microsoft 365 and Google Workspace as a German based provider. Its target customers include private, business, school and public authorities.

References

  1. Geist, Michael (2007-11-27). "Private E-mail Not Hush Hush". The Tyee. Archived from the original on 2020-01-02. Retrieved 2019-11-27.
  2. Sutherland, Richard (17 November 2020). "Hushmail secure email review". TechRadar. Retrieved 2023-08-31.
  3. "Hushmail for Personal Use". www.hushmail.com. Retrieved 2024-08-29.
  4. "Hushmail for Healthcare". www.hushmail.com. Retrieved 2024-08-29.
  5. "Hushmail for Small Business". www.hushmail.com. Retrieved 2024-08-29.
  6. "Hushmail for Law". www.hushmail.com. Retrieved 2024-08-29.
  7. "– Two-Step Verification". Archived from the original on 2014-06-25. Retrieved 2014-06-11.
  8. "Hushmail for Healthcare - HIPAA Compliant Encrypted Email, Web Forms & E-Signatures". hushmail.com. Retrieved 21 July 2022.
  9. "Hushmail closes IM service". Archived from the original on 2013-10-27. Retrieved 2012-07-20.
  10. "Alternative Web Mail Review – Hushmail Premium, PC Magazine". Archived from the original on 2009-04-14. Retrieved 2017-08-31.
  11. E-Mail Encryption Rare in Everyday Use: NPR
  12. 1 2 3 Encrypted E-Mail Company Hushmail Spills to Feds |Threat Level via Wired.com
  13. 1 2 3 Hushmail Privacy via Wired.com Archived 2007-11-10 at the Wayback Machine
  14. bakersfield.com Archived 2008-07-24 at the Wayback Machine
  15. "Hushmail.com Privacy Policy". Hushmail.com. Archived from the original on 2001-02-15.
  16. Hushmail – Free Email with Privacy – About Archived 2007-11-22 at the Wayback Machine