Hushmail whispers your secrets

If you thought your secrets were safe with Hushmail you were wrong:

Hushmail, a longtime provider of encrypted web-based email, markets itself by saying that “not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.”

But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.

There are methods to communicate securely (guaranteed at the theoretical level) provided your attacker never gets physical access to your computer or someone doesn’t hand over the encryption keys. It’s just that it’s very, very inconvenient to do so. There are some intermediate difficulty of use methods which are secure as long as your attacker doesn’t have millions to spend on cracking your messages. I have been wanting to implement that for a long time but always seem to find something more important to do.

One of my main reasons for not working on the problem is that I can’t guarantee “no physical access” to my computer. So it’s just doesn’t have much point. That is probably always going to be the weak link. I don’t have any secrets on my computer or in my communication that need to be kept that secure but its sort of like owning firearms that certain people in government don’t want you to have and reading banned books. “You don’t want me to have it? Then that means I must have it.”