Randall A Sindlinger on 5 Jan 2009 10:57:43 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Reasonably secure email


On Mon, Jan 05, 2009 at 12:11:53PM -0500, Art Alexion wrote:
> 
> > but the emails are still encrypted;  they're just making the 
> > password accessible, if I read it correctly.  
> 
> The way I read it, Hushmail sent the targets a hacked version of the encryptor 
> that seemed to add a "backdoor key" that allowed decryption.  Whether or not 
> the Feds used the backdoor key or Hushmail used the key and delivered the 
> email to the Feds unencrypted seems of no significance.
> 

My take was based on this:
"That everything seems to include sending a rogue Java applet to targeted users 
that will then report the user's passphrase back to Hushmail"  -from 
http://www.privacydigest.com/2007/11/19/hushmail+warn+users+law+enforcement+backdoor

> 
> > Nothing the feds *couldn't* 
> > do, just hushmail is doing it for them, IMO.
> 
> Are you suggesting that the Feds could crack the PGP keys without Hushmail 
> deceiving their customer with a hacked encryptor?
> 

No, no.  I'm suggesting the Feds could set up a Man-in-the-Middle attack, or
equally effective ruse, to deliver their own rogue version of the Hushmail
Java applet and trick the suspect into divulging their password, without any
cooperation from Hushmail.  As said in another thread "Criminals go after
the low-hanging fruit."  Not necessarily so for the Feds :-)

> Hushmail honors the subpoena by delivering the encrypted email, and letting 
> the Feds try to do with it what they can.  Deceiving customers with a hacked 
> encryptor is well beyond their legal obligations under the subpoena.  
> 
> What complicates this one is the international aspect.  Hushmail was 
> responding to a Canadian subpoena.  I don't have a clue what a Canadian 
> subpoena requires.  The Canadian authorities issued the subpoena at the US 
> authorities' request.
> 

Precisely.  The privacydigest article suggests as much in quoting Hushmail
as saying "That means that there is no guarantee that we will not be compelled, 
under a court order issued by the Supreme Court of British Columbia, Canada, 
to treat a user named in a court order differently"


-Randall
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug