Apparently you have never been to their website. They clearly state that they will fully cooperate with law enforcement on signup.
Its a mandatory checkbox on signup:
I understand that Hushmail is not suitable for illegal activity and that the providers of Hushmail will cooperate fully with authorities pursuing evidence via valid legal channels. See our Security Page.
The corollary is that Hushmail is a shitty service. A good service for private e-mail should make it impossible for the server administrators to see what is going on. Obviously that checkbox should make any user that needs real security turn around in the door.
I've never used Hushmail, but I assumed "secure e-mail" == "none of my information touches the server in plaintext". So this comment is quite interesting.
The realities of the browser environment make it impossible to do what you describe. It's been possible with native clients for a long time, but has always been pretty cumbersome for non-geeks--I've been working on a native client solution that would be easy for non-geeks to use and provide a few different levels of security (which come with varying levels of convenience) that are all better than the "plain-text everywhere" option most people use now.
I posted a link to this yesterday and don't mean to spam, but the topic has come up a few times in the past day, so: http://parley.co
Excellent writeup. It really helps when the conversation is steered away from terms like 'amendment', 'advertisers', 'enforcement', 'criminality' and steered back to the central idea of recovering and safeguarding an intuitive and traditional idea of privacy in personal communication (postcard analogy). Lots of people, many with vested interests, insist that this isn't possible, that the genie is out of the bottle. But let's at least try, right?
In fact, PGP was a neat solution for the internet of the '90s with its quaint directory services (Bigfoot, anyone?) and dialup links. I think it had Pretty Good uptake too. So I'm very interested to see what can be done in today's environment.
(Your exchange with jmillikin looked promising too. Did it continue?)
Thanks noibl, that's very generous of you. Besides being as self-conscious as anyone might be when publishing a bit of writing, I knew that I was writing for two separately critical audiences (computer security experts and those who would tend to brush off most privacy advocates as unnecessarily alarmist) which made it considerably more daunting. You put it quite well yourself, though: let's at least try. The defeatist attitude many people take toward privacy (and I'll be the first to admit, I do it too sometimes) is at least as concerning to me as the privacy challenges themselves, but I really do believe we stand a fighting chance on both fronts.
My exchange with jmillikin didn't continue, unfortunately, but I really do want to discuss exactly what we're building with anyone who will listen--there will be more information on the website soon enough but I would love for anyone who reads this to email me any time. My email is in my profile.
Supposedly lavabit.com is (from the admin perspective) about as close to zero knowledge as it gets. Logs are kept for a minimum to diagnose abuse/performance issues, and crypto keys are strictly between the user and server. As I understand it, the only legal compromise would be a national security letter style gag order to alter the binary that interfaces the client (be it Outlook, your phone, or the web-mail host) to the back-end data store, which is stored encrypted on disk.
Security flaws are another thing entirely. I have no idea if anyone, aside from internal developers, has vetted the system for flaws that typically result in server compromises.
I was a satisfied free user some years ago, and the above was my understanding of the service after a few pointed queries to the support address.
The main difference being that the modification was code sent to, and then executed by, the end-user's browser in the form of a Java applet.
I personally believe that Lavabit (a tiny company composed of a few dedicated folks) would rather shut down service than do something as underhanded as what Hushmail did.
In either case, the end user is relying on a proprietary system/company to fight the good fight for them, which is foolhardy if your well being is on the line. Those in need of strong privacy would probably use PGP+tor for communication anyway.
You said '(be it Outlook, your phone, or the web-mail host)'. I was just providing a relevant historical example to support your point. (Lavabit does have a webmail interface.)
FWIW, the Hushmail ex-CEO seems to strongly agree with you on both the ethics point and the need for users to take blind trust out of the security equation.
---
So I've just gone to the Lavabit site and it looks like that they store your private key on the server.[1] That doesn't strike me as being more secure than Malone's idea of externally-audited client-side crypto. But then, as you say, you've arrived at PGPGPG.
The fact, then, that Zimmerman was involved with the company so early on and they still fucked it up just goes to show that faith in the efforts of 'a few dedicated folks' doesn't get you very far.
The problem with PGP is that while it keeps the content of your mail exchange secret, it does not protect the information that two persons exchanged emails. So if the investigators have a lead to person A that sells drugs and see that he's communicating with person B that accepts payments, the might just guess what relationship the two have.
Right, that's why you use Tor. PGP provides privacy and accountability. Tor provides anonymity.
Just remember you have to trust the security of the receiving party as well. Make sure not to reveal yourself with the contents of your emails since the other party might not be as disciplined with their tor and pgp use as you are.
Actually now-a-days it's using an OTR client, since it adds deniability and forward secrecy. I don't know if it removes offline messaging. It's also a lot easier to use and easier to convince your friends and close ones to use it since they only need to flip a switch practically.
People are forgetting that if you use PGP you can post it anywhere
The Petreus incident is sort of crazy for this reason. Here is the head of the CIA, doesn't even use PGP.
There are other mixnets such as Mixmaster and Mixminion that do what Tor does for TCP but with email. They unfortunately need many more people to run nodes.
"The Petreus incident is sort of crazy for this reason. Here is the head of the CIA, doesn't even use PGP."
He's just a bureaucrat, hired after retiring as an Army general. I seriously doubt if he had any personal spy craft training beyond "use this secure computer and this secure phone when you're working on company business, sir. And don't talk about Fight Club."
The head of the CIA is aware of the methods used to extract information from suspects, and thus wants his information to be easily found if he's discovered, rather than requiring him to be extra-ordinarily renditioned and water-boarded.
</tinfoil hat>
I guess it just shows that anonymous and private communication is still really hard for most people, even though we had the work of cypherpunks trying to help.
Most providers happily cooperate with law enforcement and other government agencies, in particular if they don't have to (or are forbidden to) inform their customers. In many cases, informal contacts are used or a polite official request without a court order is already sufficient.
Please note that all the discussion that is done here about Hushmail being or not secure is only applicable to @hushmail to @hushmail communication. Securing mails to external addresses is impossible by design (without other types of key exchange/trust, e.g. PGP).
I'm not sure quite what they're using it for, though. I suppose some sites block .gov IP ranges, but you'd think they could easily proxy via some innocuous host provided by a commercial provider.
Law enforcement have for decades been anonymous, wearing plain clothes & hiding behind false identities in efforts to catch criminals. Tor just gives them digital plain clothes. If they were going through an open HTTP proxy, that box better have a decently network facing attack surface (unlikely). Sure, it's the same deal with Tor, except you have to pwn about 2/3rd of the network (4000+ boxes) before you know about the equivalent of pwning 1 sole proxy. Keep in mind there is a good mix of software, a whole variety of kernels etc.
If you have one of the less common architectures around, consider running a Tor node on it :-) Then we get a mix against random machine-code backdoors too.
>If they were going through an open HTTP proxy, that box better have a decently network facing attack surface (unlikely). Sure, it's the same deal with Tor, except you have to pwn about 2/3rd of the network (4000+ boxes) before you know about the equivalent of pwning 1 sole proxy.
Can you go into more detail about what you are saying? I'm sure you could drop a- ADOBE, Active-X, Java, ect- 0-day on a page and pwn said box. You can also send payloads to/from TOR; although there are limited transfer protocols you can use.
The whole point of TOR is to try to anonymize you. It's not going to save you from getting owned.
Sure, but that is a newer feature, and Roger Dingledine has been giving these talks to law enforcement for some years (the earliest I am aware of is 2008).
"The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up."
We now know, that entire nations' & worldwide traffic is being intercepted and logged.
One would probably see I2P as an overkill without knowing the downfalls of its predecessor. Tor was once a wonderful multi-proxy used for hiding IP addresses and bouncing off servers all over the world. At one time, it was even trusted by most governments for strong anonymity. All of that seemed to change after an article was posted in 2600 Hacker Quarterly. One author exposed how becoming an exit node for Tor allowed all the traffic on the Tor network to pass right through your machine. Becoming an exit node was the same as performing a Man-In-The-Middle attack. All one had to do was open up a packet sniffer and see all the traffic going through encrypted. Tor is still used by people trying to protect their privacy. But at the same time it has become a playground for hackers and governments monitoring what they consider suspicious. I2P has secured this problem while adding more functionality.
> One author exposed how becoming an exit node for Tor allowed all the traffic on the Tor network to pass right through your machine. Becoming an exit node was the same as performing a Man-In-The-Middle attack.
This is de-contextualised scaremongering.
What the poster is referring to is that when you leave the Tor network, the connection is as it would have been before. This is by design. So if you were not using TLS, then your traffic could be read, as is the case with ALL http etc. Simple. Use SSL/TLS/SSH/ etc
Do a trace route to google. All those intermediate parties are capable of the same thing.
But if you use TLS the attack is useless.
Tor provides one property, Anonymity, and it does this incredibly well. Anonymity and Privacy are related by distinct properties. Obviously if you send traffic to a site and sign off with your name, Tor can't help you be anonymous there. Tor cannot prevent misuse & ignorance.
As for this 'MITM' attack, Tor's design is such that you do not have to trust the exit nodes for it to work.
As for the comparison with I2P, I don't know much about it, but I support any FOSS project that aims to provide new types of anonymity. As I understand it the problem with I2p at the moment is that there is 1 exit node facing the regular net. It's not entirely clear how I2P evades what you consider 'the problem with Tor' when connecting with the regular net.
EDIT: Yep, did a bit of research and i2p is subject to the same sort of "attack" you describe "Like Tor, I2P does not magically encrypt the Internet. You are vulnerable to snooping by the outproxy operators."http://www.i2p2.de/faq.html#outproxy
Great explanation, just want to add that when you use Tor hidden services to communicate (i.e. no exit node involved or needed), everything is end-to-end encrypted and the MITM attack scenario doesn't apply. Hidden services are also not vulnerable to:
> "The Tor design doesn't try to protect against an attacker who can see or measure both traffic going into the Tor network and also traffic coming out of the Tor network. That's because if you can see both flows, some simple statistics let you decide whether they match up."
The host part is the transport layer-dependent permanent hidden service ID. For Tor, which is the primary transport layer supported by cables communication, it is a 16-character Base32 representation of a half of Tor's hidden service RSA-1024 public key fingerprint (an 80-bit part of SHA-1 cryptographic hash), with an .onion domain suffix. For I2P, it is a 52-character Base32 encoding of eepSite's ElGamal-2048 public key SHA-256 fingerprint, with a .b32.i2p suffix.
In this way, message security (inability of the attacker to reveal the message contents) is independent of the transport layer security (inability of the attacker to reveal the contents of network traffc and the location of correspondents). This is important because, at present, Tor appears to disallow “too much” security by design:
- RSA-1024 is universally used as a public key cipher (identity, onion, connection, and private keys, and likely for SSLv3 connections as well; although long-term directory authority identity keys are RSA-3072). This RSA key size is likely inadequate against a resourceful adversary such as the NSA/CSS. RSA-1024 provides only ~80 bits of security (see NIST SP 800-57 Part 1, §5.6.1).
- AES-128 is used as a stream cipher, although this key size is not allowed for highly sensitive data protection in the government of USA (see CNSS Policy №15 FS №1).
- SHA-1 80-MSB are used as the hidden service ID, offering at most 80 bits of security against hidden service impersonation. The security might be weaker than even that, since an MSB section of a cryptographic hash does not automatically inherit the second-preimage attack resistance properties of the original hash.
For the claim that NSA/CSS can break RSA 1024, it should be mentioned that the highest public known break of an RSA key is to a RSA 768, and above that, cash prizes has been given up to $175 000, with $75 000 at the RSA 896 point.
So if someone think they can put together a FPG'a or graphic cards system for less than $175 000, and that the system then will break RSA 1024, you can earn some "easy" money.
Anyway, the real question about the actually security concerning key-size is, how secure is recorded traffic. If the only protection here is the AES-128, than that is the thing to be concerned about.
To the less-proficient ones: Please not that here he is comparing Tor hidden services and i2p eepSites, where both the client and the server use Tor/i2p. In this case all your communication is "magically" encrypted, in a more strong fashion by i2p (this is the tl;dr).
However, when communicating with the regular web none of this apply, and Tor will probably offer better protection as i2p is not by design built to communicate with the outside net.
If you're interested, Tor is looking at a Cipher suite upgrade. There are obviously compatibility issues when you are rolling out to a network that has 500,000+ daily users. If you look around the Tor proposals you should be able to find it https://gitweb.torproject.org/torspec.git?a=tree;hb=HEAD;f=p...
In October I attended an FBI conference, as part of my work to try to keep Tor on good relations with law enforcement. My first goal is to remind them of all the good uses of Tor, so if they ever find themselves lobbying to outlaw anonymity online, they'll understand what they're giving up. The second goal is to make sure they understand what Tor is and how it works, so if they encounter it in their investigations they'll hassle our exit relay operators less. (Here's a great way that one FBI person explained it to me: "I've got 10 leads, and 48 hours before this case doesn't matter anymore. If you can help me understand which leads not to follow, I can do my job better.") My third goal is to help them be able to use Tor correctly for their own jobs — remember that diversity of users is part of what makes Tor safe for everybody to use.
Overall, we've been doing a pretty good job at teaching US-based law enforcement about Tor. At the end of the conference, one of the FBI agents took me aside and asked "surely you have some sort of way of tracking your users?" When I pointed at various of his FBI colleagues in the room who had told me they use Tor every day for their work, and asked if he'd be comfortable if we had a way of tracing them, I think he got it.
I met a nice man from the DEA who worked on the "Farmer's Market" bust. This was in the news a lot back in April, where apparently some people were selling drugs online, and using a Tor hidden service for their website. At the time I thought the news stories could be summarized simply as "idiot drug sellers accept paypal payments, get busted." It turns out they were pretty smart about how to accept paypal payments — they just had random Americans receive the paypal payments, take a cut, and then turn them into a Panama-based digital currency, and the Panama company didn't want to help trace where the money went. The better summary for the news stories should actually have been "idiot drug sellers use hushmail, get busted." Way before they switched to a Tor hidden service, the two main people used Hushmail to communicate. After a subpoena (and apparently a lot of patience since Canada still isn't quite the same as the US), Hushmail rolled over and gave up copies of all the emails. Many more details here:
http://www.scribd.com/doc/89690597/Willemsindictment-Filed-0...
I should still note that Tor doesn't introduce any magic new silver bullet that causes criminals to be uncatchable when before they weren't. The Farmer's Market people ran their webserver in some other foreign country before they switched to a Tor hidden service, and just the fact that the country didn't want to cooperate in busting them was enough to make that a dead end. Jurisdictional arbitrage is alive and well in the world.
