|
|
Hush Frequently Asked Questions
How many servers does my mail go through as it crosses the Internet? To see the pathway of your sent email, open an MS-DOS client while connected to the Internet and type: tracert computer.name[ENTER] "computer.name" represents the address that appears after the "@" symbol of the address being sent a message. A list of every machine the message is routed through will appear. Each of these machines and every machine on the same local network of any of the machines listed have access to the message. If a network has hundreds of machines on it, the message is that much more susceptible or vulnerable to unauthorized review or storage. Ultimately, this exercise displays the number of routers involved in transporting a message from a Hush user's computer to the Hush servers. Back to top
What role does Java™ play in the Hushmail solution?
Hushmail can be used with or without Java. If you use Hushmail with Java, many sensitive encryption operations that would otherwise be performed on our server can be performed on your local computer. If Java is installed on your computer, you can use it to add an extra layer of security to Hushmail.
For a comparison of Hushmail use with and without Java, see our Help System
Back to top
What is Open PGP, and how is it involved in the Hushmail solution? Open PGP is a protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. The Open PGP protocol defines standard formats for encrypted messages, signatures, private keys, and certificates for exchanging public keys. Over the past decade, PGP, and later Open PGP, has become the standard for nearly all of the world's encrypted email. By becoming an IETF standard ( RFC 2440), Open PGP may be implemented by any company without payment of any licensing fees. Hushmail version 2.x is Open PGP compliant. This compliance with the Open PGP standard makes Hushmail accessible to more email users than ever before, thus ensuring that it continues to be the #1 choice in secure email systems. Back to top
What is AES, and how is it involved in the Hushmail solution?Hush uses industry standard algorithms as specified by the Open PGP standard (RFC2240) to ensure the security, privacy and authenticity of your email. AES (Advanced Encryption Standard) is a type of 128-bit symmetric block cipher. When combined mathematically with a Hush passphrase, the AES algorithm encrypts the private keys of Hush users. This occurs before the key is stored on Hushmail's very secure key server. The only thing that can decrypt the private key is a Hush passphrase combined with the AES algorithm. Back to top
How can it be proved that the encryption used by Hushmail is actually secure?
Hush is proud of its reputation for security and has had a lot of
positive feedback from industry, experts and users. The Java source code for
the Hush Encrytion Engine is available to everyone, free of charge. Security
experts and
computer enthusiasts worldwide have the unrestricted ability to test the
strength of the Hush cryptographic system. The source code can be reviewed and
downloaded from our downloads
page.
How can I be sure the website I access and the Java applet I
download are really from Hushmail?
The connection to our website and the Java applet that you download
if using Java are confirmed by digital signature using a
certificate owned by Hush Communications. When you access our
website using a URL beginning with "https://" your browser will
automatically confirm this. When you download the Hush Encryption
Engine Java applet when using Hushmail with Java, you will be
prompted to accept a certificate from Hush Communications. Your
web browser is able to confirm that only Hush Communications could
have produced the digital signatures.
If you get any certificate warnings when accessing Hushmail, do not
continue. Someone may be attempting to intercept your
communications. In addition, if you believe that someone may have
tampered with your web browser, you can not be certain that the
site you are accessing is really from Hushmail.
Back to top
Does Hush have access to my
passphrase?
Your passphrase is not stored on the Hushmail servers. A special
hashed value is stored for authentication. The original passphrase
cannot be determined from that hashed value.
Your passphrase must be used to decrypt your private keys. If you
are using Java, your private keys are decrypted with your
passphrase inside your browser, and your passphrase is never sent
to our servers. If you are not using Java, your passphrase is sent
to one of our secure servers over an encrypted connection where it
is used to decrypt your private key before being discarded. Your
passphrase is not stored on our servers.
For more information on
the differences between using Hushmail with or without Java, see
our Help System.
Please note that we may be required to store a passphrase for an account
specifically named in a court order issued by the Supreme Court of British
Columbia. Please see our policy on
court orders.
Back to top
Does Hush have access to my
private keys?
When your private keys are stored on the Hushmail servers, they are
encrypted with your passphrase. They are only decrypted when they
have to be used. If you are using Java, your private keys are
decrypted and used inside your browser. If you are not using Java,
your private keys are decrypted on one of our secure server, used
during
your email session, and then discarded.
For more information on
the differences between using Hushmail with or without Java, see
our Help System.
Back to top
Can the recipient of an email sent from Hush see my IP address? No, Hushmail does not include your local IP address in outgoing email. Back to top
Does Hush log IP addresses of website visitors or account holders? Hushmail.com does log IP addresses to analyze market trends, gather broad demographic information, and prevent abuse of our services. Back to top
I can't ping or "traceroute" to the Hushmail servers; does this mean there is a problem? Ping and Traceroute are network diagnostic tools that enable system administrators to determine the availability and network routing to hosts across the Internet. These tools can also be used maliciously, to disrupt the normal functions of hosts and networks, and therefore are not appropriate for use on Hushmail servers. Attempts to reach the Hushmail network using ping or traceroute will fail, but this is normal and does not indicate any disruption in service.
Back to top
Can Hushmail protect against keystroke recording?Hush cannot protect the user against this kind of security threat as our system is designed to ensure secure transmission of data between computers only. If a Hushmail user's private computer has been compromised or if they are accessing their Hushmail account from the workplace where keystroke recording software is installed, their Hushmail passphrase may be accessed by a third party. To combat keystroke recording software, we suggest you: - Change your Hushmail passphrase regularly
- Choose a secure passphrase
- Update your virus checking software regularly
- Send sensitive communications through your private/home computer
Back to top
Hushmail uses JavaScript, and I'm
worried that there could be security problems with JavaScript. Is the use of
JavaScript in Hushmail safe?
JavaScript is very secure if used properly. For one thing, Hushmail
doesn't allow any JavaScript from external sources, such as emails, to ever be
executed. Other concerns are resolved by the Same Origin Policy which is
implemented by all browsers to ensure that any piece of JavaScript can only
access documents that came from the same domain, and via the same protocol, as
it did.
|
|
