Feeds

Hushmail swats code backdoor rumors

Safe as (straw) houses

SANS - Survey on application security programs

Web-based encrypted email service Hushmail has refuted rumours it stopped using software based on the source code published on its website.

Within the zip archive containing the Hush Encryption Engine is a Java executable (.jar) file called HushEncryptionEngine. But this isn't the same file found on Hushmail's mail servers, a poster to Cryptome pointed out over the weekend.

The behaviour raised concerns that Hushmail may no longer be safe to use until Brian Smith of Hush Communications stepped in to say that the wrong files were being compared. Rather than the Java executable, comparisons should be made between the applet in the source code and the applet running on Hushmail's servers. The other file contains debug information, so it does not match the file running on the website, he explained.

Although an innocent explanation for the apparent discrepancy was quickly found, it does illustrate lingering concerns about the absolute reliability of the service. For years Hushmail was considered a safe, reliable and straightforward way to send encrypted, confidential messages. But the revelation last year that Hush Communications, the Vancouver-based firm that runs Hushmail, was forced to hand over 12 CDs of decrypted data to US drug trafficking investigators has shaken this faith.

Hush Communications maintains that it only acted in response to a court order and it might be obliged to hand over clear data again, even if this meant sending a targeted user a poisoned Java applet or other such trickery. Users who needed more security ought to use the desktop version of packages such as PGP.

A section on the limitations of the service goes on to explain that viral infection on a user's PC can also compromise a user's Hushmail account. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.