hushmail - secure email?
I know it's an old article but I just found it and would like to hear your views.
http://www.wired.com/threatlevel/200...crypted-e-mai/ Is it a case of 'much ado about nothing' are they blatantly lying to their customers? I understand the difference between installing their java program on your computer so that your passphrase gets encrypted before travelling to their servers, and using their 'webmail' service with java disabled, but what about using it with IMAP (Thunderbird + enigmail) as I'm using it now? Are we all getting too paranoid about security or is it high time to start your own webserver? |
If you use PGP or GnuPG properly, your email can only be read by the intended recipient. Make sure you don't save any copies encrypted with your own public key, or the Feds can beat the passphrase out of you to access your private key and decrypt them.
What is reported in the article is the kind of thing that will always happen when people use ill thought out encryption systems, and place convenience over security. |
If you use PGP or GnuPG properly, your email can only be read by the intended recipient. Make sure you don't save any copies encrypted with your own public key, or the Feds can beat the passphrase out of you to access your private key and decrypt them.
What is reported in the article is the kind of thing that will always happen when people use ill thought out encryption systems, and place convenience over security. |
Thanks. That's what I thought about PGP. To the best of my knowledge (and tutorials I followed) I am using PGP in a correct way. Furthermore, I've never used hushmail webmail with java disabled so I hope I'm safe from the man in black.
They can beat the hell out of me - I'm not going to crack and reveal anything:) The world is not ready yet to see the contents of my emails. They contain the ultimate wisdom, dangerous knowledge and secret locations for Friday drinks. |
Of course, no matter what you do, an email is a two-way (or more) communication. You can be as secure as you like, but that's to no avail if the email is obtained from another correspondent.
|
Quote:
Seriously speaking, it is pointless when the other side doesn't support encryption. |
What I mean is, even if the other side DOES support encryption, there's nothing you can do to stop them accidentally or deliberately disclosing the email they received from you or sent to you.
The usual usage of GPG to 'sign' emails is a double-edged sword in this case. If you are discussing matters you do not wish to be made public, and you do not trust the recipient (hint: can you ever?), GPG is probably not an appropriate technology. Off-the-Record encryption, for instant messaging, is on the other hand deliberately designed so that a forgery is indistinguishable from a genuine message, meaning that if the recipient discloses the message you can deny having sent it, and the message itself carries no information on authenticity - though of course a court could use other evidence to decide whether a forgery could or couldn't have happened. |
Quote:
Quote:
|
All times are GMT -5. The time now is 05:16 PM. |