Feeds

Hushmail swats code backdoor rumors

Safe as (straw) houses

Build a business case: developing custom apps

Web-based encrypted email service Hushmail has refuted rumours it stopped using software based on the source code published on its website.

Within the zip archive containing the Hush Encryption Engine is a Java executable (.jar) file called HushEncryptionEngine. But this isn't the same file found on Hushmail's mail servers, a poster to Cryptome pointed out over the weekend.

The behaviour raised concerns that Hushmail may no longer be safe to use until Brian Smith of Hush Communications stepped in to say that the wrong files were being compared. Rather than the Java executable, comparisons should be made between the applet in the source code and the applet running on Hushmail's servers. The other file contains debug information, so it does not match the file running on the website, he explained.

Although an innocent explanation for the apparent discrepancy was quickly found, it does illustrate lingering concerns about the absolute reliability of the service. For years Hushmail was considered a safe, reliable and straightforward way to send encrypted, confidential messages. But the revelation last year that Hush Communications, the Vancouver-based firm that runs Hushmail, was forced to hand over 12 CDs of decrypted data to US drug trafficking investigators has shaken this faith.

Hush Communications maintains that it only acted in response to a court order and it might be obliged to hand over clear data again, even if this meant sending a targeted user a poisoned Java applet or other such trickery. Users who needed more security ought to use the desktop version of packages such as PGP.

A section on the limitations of the service goes on to explain that viral infection on a user's PC can also compromise a user's Hushmail account. ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.