Wei Dai, <[EMAIL PROTECTED]>, writes:
> Hushmail seems like a good idea, but there is (at least) one area where its
> security could be improved. (For a description of the system see
> http://www.hushmail.com/tech_description.htm.) The problem is that users
> are not given sufficient protect against a trojan horse client applet, one
> that for example sends the user's passphrase back to hushmail's server in
> the clear. Although source code for the client applet is published, the
> user has no assurance that the applet he downloaded corresponds to that
> source code.
One thing that is sometimes possible is to make a local copy of a web page.
In this case the hushmail page has the applet html as follows:
: archive="/java/1.02/HushApplet.jar"
: code="hushcode.HushApplet.class"
: height=385
: width=720
: vspace=0
: hspace=2>
: <param name=username value="anon3054">
: <param name=sessionID value="5a5256cc21cc0093">
: <param name=sessionKey value="6b54067bebb87134e1c7cb947e8136fb">
: <param name=small value=no>
: <param name=R0 value="102">
: <param name=G0 value="51">
: <param name=B0 value="204">
: <param name=R1 value="153">
: <param name=G1 value="102">
: <param name=B1 value="204">
: <param name=R value="153">
: <param name=G value="153">
: <param name=B value="153">
: <param name=keyStrokesPerAdRotation value="90">
: <param name=clicksPerAdRotation value="9">
: <param name=smallApplet value="no">
: <param name=exitpage value="https://www.hushmail.com/cgi-bin/Exit.cgi">
Maybe you could make your own local html page and download the applet
JAR file once and for all, then refer to that when you wanted to use hushmail.
Or better still, build the applet file yourself, if they supply the source. I'm not
sure if the Java rules would allow a local applet loaded by a browser to do
internet access, though.
This might be something that would be worth trying.
The bigger problem I as a user have with hushmail is that it almost never
is able to use encryption! It can only encrypt it you are sending to another
hushmail user. But at the moment there aren't very many of them so in practice
the encryption question doesn't even come up.
For me, it's just a nicer version of hotmail, which doesn't stick my IP address
in the mail headers. It's convenient to have that small extra bit of privacy.
--Hush
Get HushMail. The world's first free, fully encrypted, web-based email system.
Speak freely with HushMail.... http://www.hushmail.com
