MESO-Rx
Anabolic Steroids
security
- Thread starter theo
- Start date
oldtimer
New Member
theo said:
Dude forget free "encrypted" emails, it's nothing but a big lie. If you don't encrypt end-to-end, then someone's watching what you send. For example, when you use ziplip/hushmail etc., your clear-text email hits their servers, so they can actually log what you send.
If you want secure emailing, use PGP or S/MIME (i prefer the latter).
-OT
Dianabol17aa
New Member
I use ZipLip, but I am definately not an expert on this topic...Bump.
betterthanu
New Member
I mean seriously, if the feds want to look at your email you're screwed. Either they want to fuck with you or they don't.
theo said:
Hushmail is secure and fine to use. The feds did not take over elites hushmail servers. They can't. Elite's mail is a rebranded hushmail server hosted offshore. The US has no jurisdiction and therefore can't touch hushmails servers. Additionally, all information stored on hushmail servers is encrypted using your passphrase. Hushmail has no access to your passphrase and no access to whatever you store there.
But, like someone else pointed out, if they want you they'll get you. There are plenty of other ways. It's just a matter of how far they're willing to go.
mrmoo said:
End to end meaning hushmail to hushmail, or hushmail to say, keptprivate? OT can explain further, as this lies in his field, but from my limited knowledge, as long as the email stays on a particular server (KP, Ziplip, etc), then youre fine. But once you send outside your server, without using some additional encryption methods, then its like sending a yahoo email.
OT, feel free to correct me if Im totally wrong.
ThePatriot
New Member
Bump up to the top
oldtimer
New Member
mrmoo said:
I don't need to look their specs up, if you're encrypting from your machine to their servers, then you've wasted a big part of what crypto is all about (it's call non-repudiation), and yes, they can log your emails.
The way PGP works is through peer-to-peer trust (you use your peer's key to ecnrypt data), or based on rooted trust (aka trust anchors).The latter is used with S/MIME, i'm not going to dive into its details as it's a bit more complicted, but you can read more about X.509 if you want to know how it works.
In PGP and S/MIME, there's no passphrase between you and any server, it's based on public key cryptography. If hushmail told you they use passphrases, and that they don't know the passphrase, then they're lying to you. Tell me, if there was a passphrase that needs to be validated, how can that be done by the validator without knowing the passphrase?.. this is the basic problem of shared secrets (in security terms).
BTW, i met Phil Zimmermann once (inventor of PGP), and he had some interesting things to say about these so call crypto technologies..
-OT
Your kidding right? I don't even know where to start. Nonrepudiation is the ability to guarantee a message was sent from someone. This is accomplished with digital signatures. Both PGP and Hushmail have the ability to do this. Encrypting from your machine to thier servers does nothing to stop nonrepudiation. If you get a digitally signed message from a hushmail user you can mathmatically be guaranteed that it was sent from the claimed hushmail account.oldtimer said:
Yes they can log your emails. No they can't read them. They're stored encrypted.
There IS a passphrase in PGP. It's used to symetrically decrypt the private key. This prevents someone from accessing your computer and using your private key to send emails. Have you ever used PGP of GPG?
No they're not. The code is published. Go read it and find out how wrong you are.
Since your stubborn and refuse to read how it works I'll explain it to you. The users private key is encrypted via the Rijndael cipher. When a user accesses hushmail a java applet is downloaded. The java applet accepts the users passphrase and uses that passphrase to decrypt the private key. This all happens on YOUR computer. Once you send a message it's signed and handled just like PGP would handle it. In fact, it uses RFC2240, the OpenPGP standard.
They store a one way hash. It's mathmatically improbable (depending on many factors including passphrase length) to derive the original passphrase from the hash.
Then he should probably write a paper about it. I'm very aware of the latest security vulnerabilities. I have been since before Hushmail was introduced. I can't EVER remember seeing any vulnerabilities in the implementation of hushmail. A quick google search also returns nothing. Thier code is open. Many people depend on the security of hushmail. If you or Phil knows a flaw, there are thousands of security researchers around the world who would be very interested in knowing.
Your correct. Both me and OT agree on this. The argument now is whether hushmail itself is secure.Bob Smith said:
Admitedly I was a little hasty with my "end to end" comment. It was a bad choice of wording on my part. Not many people on here know about security and sometimes it's difficult to get your point across without getting too technical. When I said end to end, I mistakenly made the assumption that we were talking a hushmail to hushmail server. Understanding that an email sent from hushmail to yahoo won't be encrypted I regrettably took as a given.
I have a lot of respect for both you and OT. I've learned a lot from both of you. But, in this case, OT is completely wrong. He's giving bad advice based on his misunderstandings. Whether he's in "the field" or not.
Last edited:
oldtimer
New Member
mrmoo said:
Apparently, you misunderstood me (again). I have been invloved (first hand) in crypto designs (namely, X.509). If you want to read some of my papers, send me an email or PM me and i'll send you the links.
For this conversation, you made several mistakes mrmoo. First mistake is on how PGP works. I did say clearly in my post "if you're encrypting from your machine to their servers, then you've wasted a big part of what crypto is all about (it's called non-repudiation), and yes, they can log your emails". You tried to correct me by saying "Encrypting from your machine to thier servers does nothing to stop nonrepudiation", yes it does. If you encrypt from your machine to their servers, then your email is being cracked open, and when someone wants to receive your email a new "envelop" is created and "sealed", then it is sent to the user. Apparently, this is not what those guys are doing. They're actually giving you peer-to-peer trust since you don't encrypt to their servers, but you encrypt end-to-end (and this is where you made the mistake).
For the passphrase, this is only storage protection, the system simply wants to know if "you know" the shared secret. I had the impression that a passphrase is needed to access your account on their servers (and your keys, not the small storage they provide you on their servers). What they are offering is similar to the CSP UI thrown by Win for strong privKey storage, which is local to the system.
-OT
VDC
New Member
This whole thread is encrypted as far as I'm concerned
,,,Oh and the only true security I know of is in the One mentioned below in my signature quote,,,VDC
,,,Oh and the only true security I know of is in the One mentioned below in my signature quote,,,VDC
