Really secure web-based email : LUSENET : TimeBomb 2000 (Y2000) : One Thread

Check out They provide a web-based email service based out of Anguilla, using strong encryption. It works like this:

1) You download their little Java applet, and wiggle your mouse around to get some random numbers.

2) From the random numbers the applet generates a public and private key using 1024-bit encryption.

3) You type in a passphrase which is used to encrypt the private key.

4)The encrypted private key is stored on their server.

Now you can send and receive secure encrypted email to other Hushmail users, with all the encryption happening on your computer using their Java applet. No plaintext traverses the Net, and even Hushmail can't read your mail. The sourcecode of their Java applets is open to anyone to look at and analyze, so with peer review it should be pretty secure. The government could still subpoena and get the IP address you log in from (if Hushmail stores it, and Anguilla cooperates), but that's about it. (A solution to that is on the way from Using Hushmail from work will shield your mail from company proxy servers and such, won't help you if they're logging keystrokes.

-- Shimrod (, May 21, 1999


You can exchange email with non-Hushmail accounts as well, you just don't get the encryption.

-- Shimrod (, May 21, 1999.

Looks interesting. Supposedly your first class postal mail is not supposed to be opened without specific legal authorization (but they do it all the time, with and without "legal" authorization).

Anything to ensure electronic privacy is most welcome.

Q: What have yo got to hide?
A: None of your business!

-- A (, May 21, 1999.

Your said

The encrypted private key is stored on their server.

Uh, shouldn't private keys be kept private?

-- Arnie Rimmer (, May 21, 1999.

A better solution (in my opinion) is to use PGP to encrypt your EMail. PGP (Pretty Good Privacy) also encrypts with a 1024 bit key and is available free from MIT and your private key is stored only on your own machine. You send your public key to whoever you wish to have it.

You may use PGP with your normal EMail and if your employer makes a copy of it, so what? If you keep your private key on a floppy, his copy of your messages will be only so much garbage.

Here is Hardliner's public key:

-----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0

mQGhBDcvMyYRBAD4FwrJcB1ZMBvK5UDsUAeOqPBcDs4P8tEyZSd+0Yqzc8Po4VhK uHBA+pSSbsVm+o3uN97TOmXG/okdRcFAvJ6QwlGNWjjlrz7j0thBwt/FNWtD9F3i Iv4vVxaBhzfnDMusuEEe82YIY/RGNGJqj4tNF4w7YPaJX52MQ2EgkCv1aQCg/wzs dff/X9gYA2bnpJaz+W1MRBMD/iE/X9tVecAl0TKr+KGkXm7t7Mqh+r03MUpRIeIf sKcyiQIMDSlyL9tX+DPn2Dd28YUKuwPpFU1uSeyGJ7KeFJigTsfINJ83vCnCzwXs fSrxLqtJTKFI8bZCpLw+KAVue/zJ926nG4icuGbf4p31ZypNojyTS6gAJEY0p1nG X1nxA/dNshrMW74PMF5nOeOfCimnfJVZXGYFQe+ACcMTSCbRGtLYna1nUMrQB3uv 6ervdtzezNP9l2g01RMiQLNjX/fpLrme/Vr3BPnIojWw/O0a+FY7ApeIBEfQsj2s mMXoRtm171u+nwX58pK0d7nEtf+oXMKL0WGSTT+X1bOzPWY+tCVIYXJkbGluZXIg PEhhcmRsaW5lcjE3NzVAaG90bWFpbC5jb20+iQBLBBARAgALBQI3LzMnBAsDAQIA CgkQ1zi2yODcTwPzgQCffRSoGnDvRm3JFjI7IICF+/rTtGcAoPmB7DFoogsiX5qm Ektw5PBi7occuQQNBDcvMy8QEAD5GKB+WgZhekOQldwFbIeG7GHszUUfDtjgo3nG ydx6C6zkP+NGlLYwSlPXfAIWSIC1FeUpmamfB3TT/+OhxZYgTphluNgN7hBdq7YX HFHYUMoiV0MpvpXoVis4eFwL2/hMTdXjqkbM+84X6CqdFGHjhKlP0YOEqHm274+n Q0YIxswdd1ckOErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHIdOHX79sFzxIMR JitDYMPj6NYK/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRPyvMX86RA6dfS d7ZCLQI2wSbLaF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJXtwh/CBdyorrW qULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX 1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFe xwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8 Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18 hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV 6z3WFwACAg//QHlQO2Ift8hPBTZbHtPMbiNcClMtezomQoPvzkEOrRmquTKn3bRx abMDZDRKRjnbe0xf53hFKI31lDZTzGY2ju22m6OGma2XgT6mKFyh3sHHwR6tPz0v kvJWnpUZuwq+kYxAqlfuXENudSk6wdAb64H49NpCapyr8t0IYOXS0bAyDSPJNgXF SVC46ENYVjpiycOGLJKTzTmzdtX/53VeAyMlhfVEkmiALkw8PpiLJBHVKKcoRqvE ObaAESSZspLKjX6tJih2tmEdHU/ETKlpqxw4ZV6lL2MTJO75suQf1YMnYk8xwawp 9hPDmtEIoRGFLWRSUwn5BuBlokodAa2aaYDQys4fUNmueYyxvKLK6WY6LBo8KHq4 EOCMRYufObypkG/mE4Wdtz67sCh0PE7hq3xeGiT/jIF96EGQt5QqAcRcGaijxD3D DW6FPOgMSdH7fNGn9ZNvnEHmv7dK5ng4UUFflQb7K9rHkqMEK2f5GdKTILibtbVO mhgwroynuObvMUYs+3pONJKHJzejDAOYd1tHn06dwrY9WMmkDcFaAhQuHAsxXGR/ hSkY4L/JVoq1Jtc8oXqhvMckfE6bGnHbAtxLVZoyaD9iSdn/WVjD/RhD54tgIOR+ rAdGsm8eufV6837kKamV3r2VjA6GNjMPMcKS+4uHNnv4LmCLc1y0SayJAD8DBRg3 LzMv1zi2yODcTwMRAj+EAJ9A2ET30DC3C/ec4HGvBrEX8pL5oACeJAt5/bqv1ixc 1z5857B6ep6LAAI= =/oIB -----END PGP PUBLIC KEY BLOCK-----

If you encrypt a message with this key, NO ONE except you and I will be able to read it (with the possible exception of the NSA, but why would they care?).

If you then route your EMail through one or more re-mailers which are out of the country, it would take a full court press by an organization with a helluva lot of clout to find out who you are.

-- Hardliner (, May 21, 1999.

I like PGP too. Takes a little more effort to use, if you're using anonymous webmail.

Hushmail stores the private key only in encrypted form. The (strong) encryption is done in a Java applet on your machine, so they never see it in a form they can use. So when you log in, you download your encrypted mail and your encrypted private key. You type in your passphrase, which decrypts your private key. Then you can use the private key to read your mail. At no time does Hushmail receive information that would allow them to read your mail. This is actually better security than having an unencrypted private key on a disk somewhere. A good encryption package will encrypt the private key the same way Hushmail does, and never store it unencrypted.

I saw a PGP package the other day which does email, encrypts your hard disk, and replaces your Windows disk driver so private information never gets cached. (This is a big security hole with a lot of encryption software.) It was about 80 bucks at CompUSA, I forget just what it was called.

-- Shimrod (, May 22, 1999.

Scenario 1:

Government Goon: I have a search warrant to look at all your computer files. Hey, all the email's encrypted! Where's the key?

Me: I lost it.

GG: Gee that's too bad. I'll help you find it. Here it is. Hey, that's encrypted too! What's the passphrase?

Me: I forgot.

GG: (After subpoena) You're in contempt of court. You're going to jail.

Scenario 2:

GG: Search warrant, blah blah, all looks ok, I notice though you've got Hushmail in your browser history. What's your account?

Me: (Handing over one of two accounts) Here you go.

GG: Well, pretty innocuous. Guess we had you all wrong. Why do you bother encrypting?

Me: I'm afraid of hackers.

It's not paranoia if they're really out to get ya.

-- nope (, May 22, 1999.

Moderation questions? read the FAQ