Hushmail is a email provider based in Canada.
Owned by Hush Communications, a United States corporation.

OpenPGP supported server-side.
Encryption keys are stored on servers.
Ability to intercept passphrase and decrypt messages.
Source: https://www.hushmail.com/public/downloads/Hushmail-Authentication%20and%20Encryption.pdf

Decrypted messages sent to United States: https://wikipedia.org/wiki/Hushmail

Consider email clients such as Thunderbird: https://mastodon.online/@blueghost/111891560151967986

Website: https://www.hushmail.com

#Hushmail #Encryption #Privacy #CyberSecurity #InfoSec #Thunderbird

#skiff #skiffprivacy
Interesting #Privacy #Anonymity browser based #E2E #Encrypted email from https://skiff.com with a Calendar & (non anonymous) distributed Drive & 2FA .
No .onion service but does not block #torproject

#Brave Tor browser handles the javascipt / css a bit better than #TorBrowser

No need for phone number or recovery email - if using the backup code (copy & paste or download .pdf)

OPSEC Includes Scheduled Send feature lacking in e.g. #ProtonMail, or #hushmail

@kaip If that rumor is true, perhaps we can say that #Protonmail has finally caught up with #Hushmail’s capability a decade ago.

@Mayana @storydragon I think those #Hushmail front-ends died off so there is only hushmail.com now -- correct me if I’m wrong. #askFedi

@kev @joel @Wivik Consider the problem that #hushmail solved: an expert user needs to share a secret w/a novice user who has minimal motivation to secure their comms. The novice can’t handle the key exchange. An expert user can put their pubkey on HM’s keyring & also fetch the pubkey of the novice user w/no effort or expertise on the part of the novice, who may even be unaware of the crypto.

Roughly 10 years ago I was able to communicate w/normies, thanks to #Hushmail. Then HM started charging & worse, they discontinued public access to their keyring. Ever since then comms options have worsened. #Protonmail, #Tutanota, #Signal, #Wire, #XMPP… these are all shit options for expert-to-normie comms. Hushmail 10 yrs ago was the peak best moment for experts to talk to normies.

@pj @dsfgs A classic real world case was a couple steroid dealers who were using #Hushmail. A court ordered HM to push malicious JS to the steroid dealers. They didn't push that JS to everyone, just the targets, which lead to comms interception & arrest. Although that involved 1st party JS, it's the same thing if a third party were to audit HM JS. It would pass the audit yet burn the dealers.

I used to force my friends & other correspondants to use #Hushmail. Then it became non-gratis & HM shit-canned the key management tool. Then I forced ppl to use #Protonmail which has always been shit (for different reasons at different times). Then I forced ppl to use #Wire, which has turned into a massive pile of shit. Now I’m about to force ppl to reach me on #Snikket.

@dianoetic @kzimmermann #Hushmail solved the key exchange problem.. it's a shame #Protonmail is a regression in that regard, so novice users are tasked with handling pubkeys of their expert correspondants.

@dianoetic @kzimmermann #Protonmail has the same vulnerability to subpoena power that #Hushmail has: the server can push malicious javascript that grabs whatever the server admin wants, including but not limited to the private key. There is a defense that's possibly in reach for normies-- running #ElectronMail over Tor, which uses static (potentially reviewed) javascript that's anonymously downloadable.

@jpaul it depends on the scenario. The best move for expert users doesn't change, which is to use an ESP like danwin or onionmail w/a PGP-capable MUA like mutt or Thunderbird. For novice users it's non-trivial, but generally #tutanota, #hushmail, or #countermail.

@nanook @jsparknz @aral @hypolite Mass surveillance would require #Hushmail to push malicious #javascript to everyone, which would work right up until just one user decides to audit the js code one time. I'd say that's unlikely. Targeting is a risk, so HM is not useful if your threat model includes targeted surveillance.

@hypolite @jsparknz @aral #Hushmail came close enough to solving the social problem. A novice can open a HM acct as easily as a Yahoo acct. An external expert user can do all the key management on hushtools.com. And for me that worked. I was able to get accountants & lawyers to use crypto effectively. Novice-to-novice => HM-to-HM. BTW, the latacora.micro.blog link is dead for me.

@rysiek @wiktor so indeed there really is no reason to use #Hushmail now.. but the steroid bust is an irrelevant distraction.

@wiktor @rysiek #Hushmail has foolishly given up the one advantage it had over #Protonmail: that non-users could interact with the keyring so dumb users need not bother. Both HM & PM impose key management burdens on low-tech users now.

@rysiek
Just noticed your original post. A good option for lowtech users used to be #Hushmail since non-HM users could do all the key management. Now that HM has a cost that I usually can't impose on others, I often pimp #ElectronMail (& thus #Protonmail). It's worse than HM but it's a sad state of affairs these days. Anything else becomes too challenging for normies.

@grimmware @kensanata

Hushmail.com has burned the bridge between their own users and non-#Hushmail users. hushtools.com is now blocked by a login screen, so key management is out of our hands. The only advantage HM had over @protonmail is now gone.

Protect Your Privacy in 5 Minutes

https://gibberfish.org/2017/04/10/protect-privacy-5-minutes/

#gibberfish #privacy #eff #httpseverywhere #privacybadger #keepassx #freeotp #protonmail #hushmail #signal