Feeds

Hushmail swats code backdoor rumors

Safe as (straw) houses

Build a business case: developing custom apps

Web-based encrypted email service Hushmail has refuted rumours it stopped using software based on the source code published on its website.

Within the zip archive containing the Hush Encryption Engine is a Java executable (.jar) file called HushEncryptionEngine. But this isn't the same file found on Hushmail's mail servers, a poster to Cryptome pointed out over the weekend.

The behaviour raised concerns that Hushmail may no longer be safe to use until Brian Smith of Hush Communications stepped in to say that the wrong files were being compared. Rather than the Java executable, comparisons should be made between the applet in the source code and the applet running on Hushmail's servers. The other file contains debug information, so it does not match the file running on the website, he explained.

Although an innocent explanation for the apparent discrepancy was quickly found, it does illustrate lingering concerns about the absolute reliability of the service. For years Hushmail was considered a safe, reliable and straightforward way to send encrypted, confidential messages. But the revelation last year that Hush Communications, the Vancouver-based firm that runs Hushmail, was forced to hand over 12 CDs of decrypted data to US drug trafficking investigators has shaken this faith.

Hush Communications maintains that it only acted in response to a court order and it might be obliged to hand over clear data again, even if this meant sending a targeted user a poisoned Java applet or other such trickery. Users who needed more security ought to use the desktop version of packages such as PGP.

A section on the limitations of the service goes on to explain that viral infection on a user's PC can also compromise a user's Hushmail account. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?