• Recommend:
• 0 Comments

HushMail Offers E-Mail Encryption

Free Web-based e-mail uses 1024-bit encryption between users.

By Stan Miastkowski, PCWorld   

HushMail, a new Web-based e-mail service, aims to make encrypted electronic communications much more common by offering free, secure e-mail.

Startup Hush Communications USA developed HushMail because, according to the company philosophy, "people need to speak freely." It's a Web-based system that doesn't require that an e-mail client be installed on your PC, much like Microsoft Hotmail or PC World's MyWorldMail. You can access your e-mail from any computer that has a Web browser and Internet access.

The crucial difference between HushMail and other Web-based e-mail systems is its end-to-end encryption. HushMail stores your messages on its servers and transfers them through the Internet messages using strong 1024-bit encryption. All of the encryption and decryption is done locally on the sender's and recipient's PCs, by using a Java applet. Messages never appear as plain text between PCs.

HushMail uses a patent-pending process called "public key cryptosystem with roaming user capability," according to company representatives. It's unlike some common utilities, such as the well-known PGP (Pretty Good Privacy), that let you encrypt e-mail messages when used with standard e-mail clients. With HushMail, you don't need to understand the esoteric details of concepts such as public and private keys. Nor does each user need an encryption utility. The only thing necessary to exchange encrypted e-mail with others is that you and they have a HushMail account.

Prepare to Hush

I tested HushMail by setting up my own account and asking several friends to do the same. Because HushMail relies on Java, you need a browser with the latest Java capabilities. HushMail works with Netscape Communicator 4.07 or later versions, as well as with Microsoft Internet Explorer 5. If you're still an IE 4 user, you'll need the latest version (which is identified as 4.72.3110 under Help/About).

HushMail has two account options: You can choose a user name or have HushMail assign you a random user name (that starts with "anon.") If you choose your own user name, you're asked to provide basic demographic information including your name, e-mail, zip code, income information, and so on. HushMail doesn't sell the information or use individual information, says Genevieve Van Cleve, HushMail's director of member services. Because HushMail is supported by advertisers, the company only "aggregates the demographic data" to give potential advertisers an idea about typical HushMail users, Van Cleve says.

The next steps, creating private and public keys, are relatively easy. First, you spend about 30 seconds randomly moving your mouse around a graphics box on the screen until a "gas gauge" fills up. Then you create a "passphrase." Although you use it like a password to log on to your HushMail account, it's tied directly to the encryption. The longer and more complex the passphrase, the more secure your messages.

This one time you don't want to use something easy for someone to figure out. Following HushMail's guidelines, I used a combination of upper- and lowercase letters, along with numbers and punctuation. Mine was 32 characters, although it can be longer (or shorter). Of course, it's also important that your passphrase not be so complex that the only way you can remember it is to write it on a Post-it note on your monitor, because that defeats its purpose.

Secure Communications

After I set up my account, I traded HushMail with the friends who'd also joined. The process is transparent. Once you've logged on to HushMail using your passphrase, you can send encrypted e-mail to other HushMail users and receive encrypted e-mail from them without entering any other passwords. The only difference you'll notice--especially when you read encrypted e-mail--is a slight delay as HushMail decrypts the message.

You can also use HushMail as normal Web-based e-mail, trading messages with any user with any e-mail address. But it's important to realize that messages are encrypted only between users with HushMail accounts. If you send mail to a non-HushMail account, or cc: a message to a non-HushMail account, your security is gone.

Most HushMail features are comparable to other Web-based e-mail, such as supplying a personal address book. But the service has one glaring omission: You can't send file attachments. That function will be available "in the near future," according to a HushMail spokesperson.

If you're concerned about e-mail privacy, HushMail is a good place to set up secure communications, if your correspondents are also willing to set up HushMail accounts. And, of course, it's necessary to have some degree of trust in Hush Communications USA. The company assured me that because of the way the system is set up, it has no way of accessing encrypted messages, even if it wanted to.

And HushMail's ease of use has one potential "gotcha," too. Because the system doesn't require any extra decryption steps on the receiving side, it's crucial that you don't inadvertently send your private e-mail to the wrong HushMail user.

It's sure to be a popular concept. HushMail rolled out just a week ago, and its user base is already in five digits, with an average of 1500 new HushMail users signing up daily, according to HushMail representatives.