Tuesday, May 26, 2009

PGP Creator Bolts to Hush

Wired magazine published this article on February 20, 2001 after Phil Zimmermann decided to move to Hush Communications as their Chief Cryptographer. Phil remains on the Hush Advisory Board and HushMail operates profitably today out of Vancouver, Canada.

For further reading:
"PGP Creator Defends Hushmail", Ryan Singel, Wired, November 19, 2007
"Hushmail To Warn Users of Law Enforcement Backdoor", Ryan Singel, Wired, November 19, 2007
"Encrypted E-Mail Company Hushmail Spills to Feds", Ryan Singel, Wired, November 7, 2007
"Correspondence Between Kevin Poulsen and Brian Smith", September 19 to November 7, 2007
"Feds use keylogger to thwart PGP, Hushmail", Declan McCullagh, CNET,
"E-Mail Privacy Remains Elusive", Wired, March 11, 2001
"Hush push for secure privacy", The Guardian, March 8, 2001
"Hush targets $20 million in fundraising", The Sunday Business Post, February 25, 2001
"Hush Communications Appoints World-Renowned Cryptographer, Philip R. Zimmermann", Business Wire, February 20, 2001
"PGP creator Zimmermann joins Hush", ZDNet, February 20, 2001
"Hush on target for 2002 float", The Independent, January 23, 2001
"Hushmail backs UK anti-snooping efforts", ZDNet, November 1, 2000
"Web-Based Encrypted E-Mail", Bruce Schneier, August 1999


  1. My tenure as CEO of Hush Communications was from 2000-2002 during the period that the headquarters was located in Dublin, Ireland. We indeed responded to many international subpoenas during that time period and a special division was set-up to verify the authenticity of the many inbound government subpoenas. Our response was to comply with the subpoena and to turn over the contents of the inbox and the outbox, which of course was encrypted. Due to the nature of the java applet and password hashing technique, Hush Communications did not have the ability to decrypt any data. Sustained non-compliance to subpoena orders would have led to significant legal fees and probably the end of the company's operations. Furthermore, if users had deployed Hushmail properly in the first place, our compliance was not harming any users and this was a major factor in our decision.

    The change in policy occurred after my tenure at Hush Communications when the company relocated its headquarters to Vancouver, Canada. The controversy revolved around compromised java applets served to targeted users where some Hushmail employees, with government coercion, actually cooperated to obtain the user's password. This is distinctly different than merely turning over encrypted data. Please see http://en.wikipedia.org/wiki/Hushmail

    Of course, this is hindsight, but I would NOT have allowed the company to take that additional step, because I believe that it is a direct, unwarranted intervention and it violates the end-user agreement with Hushmail's userbase. It crosses the line. I would have taken it to court and I would have made it an international media issue for privacy rights. People who know me well would agree that is my stance. Failing that, I could have also resigned in protest.

    It is important to state that Hushmail is still a valuable and safe service if utilized properly. All security is relative. Physical keyboard sniffers and ceiling cameras can be mounted in a suspect's home to obtain PGP private key passphrases. If one verifies the Hush applet against source code or better yet stores a clean version locally, the threat of a 'spoofed' applet can be eliminated.

    1. Where does one get the applet? I use Hushmail and have only been directed to login on a browser. Sometimes email on one screen, then password on the next. Sometimes both on one page, depending on how I get there. I've never, that I know of, downloaded an applet. Is that still available?

    2. The Java applet is still available for the original Hushmail. When you go to log into your account, stop at the passphrase screen and click on the link in the top left hand corner that says "Return to the original Hushmail".

      The next screen will be a different passphrase prompt. Below the prompt is a link to "Enable Java". After you click this link you will be prompted to download and run the applet.

      You should be aware tho that recently a 0-day browser based exploit has been discovered for Java. Therefor, you may want to wait until the exploit has been resolved by Oracle before using Java in your web browser on any web page.

      More info about the exploit can be found below.


      Best regards,

      Hushmail Support

  2. Also, see this related discussion at Bitcoin Stack Exchange http://bitcoin.stackexchange.com/a/2955/916

  3. If one verifies the Hush applet against source code or better yet stores a clean version locally, the threat of a 'spoofed' applet can be eliminated.