From mjd@ece.orst.edu Mon May 24 11:21:54 1999 Return-Path: Received: from ECE.ORST.EDU by cipher.ece.orst.edu (NX5.67g/NX3.0S) id AA01789; Mon, 24 May 99 11:21:54 -0700 Received: (from mjd@localhost) by ECE.ORST.EDU (8.9.2/8.9.1) id LAA06025 for islmail-outgoing; Mon, 24 May 1999 11:19:37 -0700 (PDT) X-Authentication-Warning: ECE.ORST.EDU: mjd set sender to owner-islmail@ece.orst.edu using -f Received: from ece.orst.edu (des.ECE.ORST.EDU [128.193.49.168]) by ECE.ORST.EDU (8.9.2/8.9.1) with ESMTP id LAA06020 for ; Mon, 24 May 1999 11:19:36 -0700 (PDT) Message-Id: <374996F3.F5FD53EB@ece.orst.edu> Date: Mon, 24 May 1999 11:14:11 -0700 From: Rayees Shamsuddin X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en Mime-Version: 1.0 To: islmail@ece.orst.edu Subject: Encrypted mail Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-islmail@ece.orst.edu Precedence: bulk Status: RO X-Status: ..HushMail: free Web-based email with bulletproof encryption Now refugees can email in safety from Internet cafes Hush Communications has quietly begun beta testing a significant development in email privacy. HushMail [1] works like Hotmail or Rocketmail -- you can set up multiple free accounts and access them from any Web browser anywhere -- but when you email another HushMail user your communication is protected by unbreakable en- cryption. The crypto, implemented in a downloadable Java applet, was developed outside of US borders and so has no export limita- tions. Here are the FAQ [2] and a more technical overview [3] of the Hush- Mail system. HushMail public and private keys are 1024 bits long, and are stored on a server located in Canada. All information sent between the HushApplet and the HushMail server is encrypted via the Blowfish symmetric 128-bit algorithm. The key to this symmetric pipe is ran- domly generated each session by the server and is transferred to the client machine over a secure SSL connection. When I posted news of HushMail to the Cryptography list, the moderator questioned the wis- dom of storing keys on a remote server, and several posters (none from Hush) have provided the rationale. You can follow the discus- sion here [4]. When you sign on as a new user you can choose an anonymous account or an identifiable one. For the latter you have to fill out a dem- ographic profile, to make you more attractive (in the aggregate) to HushMail's advertisers. The HushApplet walks you through generating a public-private key-pair. The process is fun and slick as a smelt. You need to come up with a secure pass-phrase, and in this process HushMail gives only minimal guidance. You might want to visit Arnold Reinhold's Diceware page [5], which lays out a foolproof passphrase protocol utilizing a pair of dice. HushMail relies heavily on Java (JVM 1.1.5 or higher), so it can only be used with the latest browsers. For Netscape, version 4.5 or 4.6 is best; the earliest workable version is 4.04, and some fea- tures don't work before 4.07. For Internet Explorer, 4.5 is rec- ommended, but the latest Windows release of IE 4.0 (sub-version 4.72.3110) works as well. Red Hat Linux version 5.2 is also tested and supported. Unfortunately, HushMail does not work on Macintoshes, due to limitations in Apple's Java implementation. (Mac users can crawl HushMail under Connectix Virtual PC. Note that I don't say "run." I've tried this interpretation-under-emulation and do not recommend it.) The company is trying urgently to connect with the right people at Apple to get this situation remedied. One of the limitations of this early release of HushMail is that en- cryption can only be used to and from another HushMail account. It is not currently possible to export your public/private key-pair, to set up automatic forwarding of mail sent to a HushMail account, or to import non-Hush public keys. I spoke with Cliff Baltzley, Hush's CEO and chief technical wizard. He stresses that Hush's desire and intention is to move toward interoperability with other players in the crypto world, such as PGP and S/MIME. The obstacles to doing so are the constraints on technical resources (read: offshore crypto programmers) and legal questions of intellectual property. Baltzley believes that HushMail's positive impact on privacy worldwide will be enhanced by maximizing the product's openness. [1] https://www.hushmail.com/ [2] https://www.hushmail.com/faq.htm [3] https://www.hushmail.com/tech_description.htm [4] http://www.mail-archive.com/cryptography@c2.net/index.html [5] http://world.std.com/~reinhold/diceware.html