In message <[EMAIL PROTECTED]>, "P
.J. Ponder" writes:
> The Hushmail website (https://www.hushmail.com/) notes that the service
> was reviewed by security experts and it seems at first glance to have some
> interesting features. Source code for the Java is available for review,
> too.
>
> Any views on this?
Given the constraints they're operating under, I think that hushmail did
a pretty good job. The conceptual weakness is in the trust -- you're not
only trusting their software, (I think) you're trusting their PKI. That is,
when you send mail to someone, the message is being encrypted under a public
key that is certified only by hushmail. Yes, if you use any PKI you're
trusting the CA -- but in this case, you don't have a choice of CA.
There's an additional weakness in that you don't know when the code has
changed. Again, any random piece of encryption software can be buggy,
but once you have it it's not likely to grow new bugs or new security
holes. Here, the changes are beneath the cover.
Some of these problems are addressable if one can compile the Java code
directly, and use it to contact their server. Furthermore, operating outside
the constraints of the Java sandbox would permit local storage of certificates,
etc. Has anyone tried that?
I do commend hushmail for making the source code available. From reading
it, I have one serious concern; I'd appreciate it if others could confirm
or refute this: the random number generator is not seeded well. As best
I can tell, the RNG is seeded from the time and date (both of which are known
to the recipient of any mail, of course), plus one random bit per keystroke.
If you've used a short passphrase, or if the timing is wrong, you may have
very poor random numbers. Apart from the general problems that can cause,
hushmail uses DSA -- and if you can find the random number used to sign
a particular message, you can recover the private key.
The user's private key is generated from mouse movements at sign-up time.
I'd recommend generating some more random bits that way, storing them on
the server along with the private key (all encrypted by the passphrase),
and using that as an additional seed.
