Hushmail seems like a good idea, but there is (at least) one area where its
security could be improved. (For a description of the system see
http://www.hushmail.com/tech_description.htm.) The problem is that users
are not given sufficient protect against a trojan horse client applet, one
that for example sends the user's passphrase back to hushmail's server in
the clear. Although source code for the client applet is published, the
user has no assurance that the applet he downloaded corresponds to that
source code. Hushmail operators or anyone who manages to hack into
hushmail's web server can replace the java applet with a trojan horse and
compromise the user's security, thus contradicting hushmail's statement:
> The idea of HushMail is that the user does not need to trust
> anyone (except the recipient of a message) in order to be
> assured a secure system is being used.
I suggest that the downloaded java client applet should be signed, and the
user should also be given the option of compiling the java applet himself
from source code and using it instead of downloading the applet from
hushmail.
