On 12/1/2016 at 7:40 PM, "Don Saklad"  wrote:How do you let your M.D.
know about emailselfdefense.org and gnupg.org
so that it's easier for folks unfamiliar to setup and use than having
go over the too long material, the too complicated material?


Hushmail has a marketing pitch to Medical Personnel about compliance
with medical privacy laws, and allows hushmail users to send encrypted
e-mails to any email address even if the receiver does not use

The receiver gets a message that an encrypted e-mail has been sent,
and a link to a site where it is stored for only 72 hours. Upon
following the link, the receiver types in an answer to a pre-arranged
question between the doctor and the patient, and sees the plaintext,
and/or the file attachment.  The receiver is allowed only 3 tries, and
if all are wrong, the message is removed from the site.

So it's pretty simple to use,  (simple enough that busy doctors are
not interested in learning GnuPG  :-(((((      )

The doctor calls the patient, and arranges the question and answer,
and then can send files encrypted as attachments.

An MITM attack is not practical as the doctor and patient share the
secret over a different channel  (phone, person to person in the
office, etc.)
It is, however, very vulnerable to a DNS attack.  The MITM can simply
access the site, enter the wrong answer 3 times, and the message is

I pointed this out to a doctor who uses this, and his response was
basically that it's "not in his threat model", (although it was much
longer in ordinary language.)

The only suggestion I would have, is for a similar e-mail service that
uses GnuPG, without a backdoor for the government, which Hushmail has,
 and market this to the "Patients",  and have a link to an easy GnuPG
gui tutorial, once people think that encryption can be useful and
Gnupg-users mailing list

Reply via email to