|This is the talk page for discussing improvements to the Hushmail article.
This is not a forum for general discussion of the article's subject.
|WikiProject Websites / Computing|
- 1 Private keys ?
- 2 NPOV Issues
- 3 finding out who sent you a hushmail.com email
- 4 After 180 days in the U.S., email messages lose their status as a protected communication
- 5 Article states that servers located in Canada plus Ireland, USA, and Anguilla
- 6 RfC concerning the Lavabit email service
- 7 No 'free' accounts any more?
Private keys ?
The most important part is missing in the article: Where are private keys stored and how does an applet running in the browser get the private key. Please add this missing part to the article urgently! — Preceding unsigned comment added by 126.96.36.199 (talk) 15:34, 18 February 2013 (UTC)
- Sadly, there isn't an applet running in the browser any more. That option was removed for new accounts several years ago. The key is stored, in encrypted form, on their server, but both the message body and the password are decrypted on the server, if only momentarily, to re-encrypt with the recipient's key. To source this, please click on what is currently Citation  in the article, then click on the hyperlinked phrase, "technical comparison". This used to point to the actual comparison of Java vs. non-Java versions of Hush. It is still a valid link, but the security analysis to which it points says nothing at all about Java, and there are no other options. So, no more AES-256 as originally designed, and no endpoint-to-endpoint (user-to-user) full encryption.
- I have a grandfathered account that still runs the Java applet, but you can't open a new account with Java. Perhaps if I send to another old Java-enabled Hush account, it still may stay AES-256 all the way through. I don't know enough about crypto to know. If it's sent to a non-Java account, surely there are the same potential vulnerabilities, at least once it reaches their server. If you read all of their documentation, including the threat analysis, method of secruring, etc., you may find it appropriate to edit the article. However, since Java versions like mine may still be out there, the sentence regarding the potential of being forced to send a compromised Java applet under court order is still a valid statement.
- Overall, it's still probably better than conventional web mail, even those that offer SSL connections, because your stored messages remain fully encrypted on Hush's server, fairly immune from all but a court order, except when you are actually logged in. I think it likely that conventional services that offer SSL connection to the web server will still store all of your messages in plain text on their servers. So Hush is still probably better than "nothing", though a lot weaker than it used to be. Unimaginative Username (talk) 04:05, 29 April 2013 (UTC)
Please review NPOV issues re differences between these versions: http://en.wikipedia.org/w/index.php?title=Hushmail&diff=168025454&oldid=166787296. Uncompressed 21:26, 30 October 2007 (UTC)
"The Patriot Act has endangered civil liberties and we should be grateful that Canada is a sovereign state and not subject to the American (il)legal system." I removed this statement because it doesn't conform to the NPOV standards of WikiPedia. GZAdmin 15:31 UTC 04/05/06
The statement is technically incorrect, Canada is subject to the American (il)legal system because of the Mutual Legal Assistance treaty signed by Canada and the US. I share the sentiments of the author of this statement however. —Preceding unsigned comment added by 188.8.131.52 (talk) 23:12, 3 November 2007 (UTC)
finding out who sent you a hushmail.com email
No, Hushmail removes the ip address of the sender. 184.108.40.206 13:37, 17 July 2007 (UTC)
Hushmail removes the ip address of the sender from the email itself ... that doesn't mean that they cannot determine the ip address of a sender and relay that information to the american authorities. So for the average joe... he wouldn't be able to determine the ip address...but in essence the americans could. —Preceding unsigned comment added by 220.127.116.11 (talk) 23:08, 3 November 2007 (UTC)
After 180 days in the U.S., email messages lose their status as a protected communication
After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.Nunamiut (talk) 18:05, 17 May 2009 (UTC)
Article states that servers located in Canada plus Ireland, USA, and Anguilla
I'm using the "Flag Fox" plugin and it is showing the hushmail server that I connected to as being located in UK (mailserver1.hushmail.com). That part of the article may need to be updated. Nevart (talk) —Preceding undated comment added 10:58, 9 July 2010 (UTC).
A service outage today revealed that they are a client of CloudFlare hosting. A CloudFlare banner appears at the top of the page saying that it's delivering a cached copy of the website. ( as of 1:40 am December 11, 2015 UTC) 18.104.22.168 (talk) 00:56, 11 December 2015 (UTC)
RfC concerning the Lavabit email service
There is a request for comments (RfC) that may be of interest. The RfC is at
At issue is whether we should delete or keep the following text in the Lavabit article:
- Before the Snowden incident, Lavabit had complied with previous search warrants. For example, on June 10, 2013, a search warrant was executed against Lavabit user Joey006@lavabit.com for alleged possession of child pornography.
No 'free' accounts any more?
Is it just me, or there is no 'free' 25Mb accounts available any more? I tried to register a new one recently and there is only paid 1Gb and 10Gb options given as account type. Couldn't find anything useful on their website - there are still links and terms of service for 'free' that lead to the same 'non-free' sign up page. Did I miss something? Are there any hidden restrictions on 'free' accounts or something? — 22.214.171.124 (talk) 14:16, 23 October 2013 (UTC)
- I'm pretty sure it was still available but hidden back then. But now it does appear to be completely gone. I've tagged the article with an update tag. I'd fix it, but I'm not finding any third party sources. — trlkly 07:32, 21 February 2016 (UTC)