ALSO    10 ways to avoid password headaches    Message Boards:    Hotmail    Online privacy    How do you define a hacker?    Sign up for the Computer Connection email service    For more computing stories

By Robin Lloyd
CNN Interactive Senior Writer

September 1, 1999
Web posted at: 5:13 p.m. EDT (2113 GMT)

In this story: Encrypted, 'shreddable' e-mail This headline will self-destruct in 10 seconds Pseudonyms and encryption RELATED STORIES, SITES

(CNN) -- Several computer security experts have said it more this week than ever: abandon Hotmail.

The question is for what?

Besides switching to an Internet Service Provider which could pry into your mailbox or also have a security hole like that which came to light this week with Microsoft's free Web-based service, there are a few options for those seeking e-mail security.

Shop carefully -- not every alternative is free, Web-based and therefore location independent. And some provide more security than the average user needs.

But to keep our words from making headlines or costing millions in litigation, we may have to change our concept of what an e-mail service should cost and offer.

A Silicon Valley start-up called ZipLip.com provides Web-based e-mail that allows users to scramble and lock e-mail messages they send, have them unlocked by only their intended target at the other end via a shared password and effectively shredded after they are read.

ZipLip encrypts messages during transit and at the storage point, something not offered by the leaders in free Web-based e-mail -- Hotmail, Yahoo! and Netcenter.

"Even if a hacker were to enter our Web site, it wouldn't do him much good," said Kon Leong, ZipLip.com's president. "It would take probably a supercomputer from Cray many years to hack a single message."

ZipLip.com has been available for two months and currently is used by thousands of people daily in 30 countries, Leong said. Its profile is a bit higher in California due to radio spots airing there featuring Star Trek's James (Scotty) Doohan.

The service is basically encrypted Hotmail, said Steve Chan, a ZipLip developer. "This is the way it should be done," Chan said.

Encryption is the inevitable way to go for the current killer app on the Web, Leong said, yet industry leaders are dragging their feet.

Implementing encrypted e-mail for users isn't rocket science, he said, since the level of encryption required for business and personal use needn't match the high standards of the CIA or National Security Agency.

Another e-mail encryption approach comes with London-based Global Market's 1on1 software which relies on 2,048-bit private and public key encryption to deliver e-mail messages and destroy them.

The program decrypts messages when opened and can "shred" or delete and overwrite them if you want after a set period of time so they cannot be undeleted.

The catch is that the sender and recipient must use the 1on1 software - a free version is available -- for the process to work, and it relies on users downloading software to their computers. So the product is not Web-based and therefore can only be used on computers where the software is installed.

That brings up the issue of trusting the author of that software and that is the issue that brought Hotmail down Monday -- a security hole left behind by CGI coders.

Another software solution will come in November with Zero-Knowledge Systems' encryption and server bouncing approach, also invulnerable to the security hole that brought Hotmail down Monday.

Zero-Knowledge's Freedom, which provides pseudonyms for secure Web-browsing and e-mail, is audited line-by-line by Bruce Schneier, author of Applied Cryptography, to ensure that there are no back doors left open.

The approach provides more security than ZipLip.com but probably more than the general user needs.

These e-mails could be cracked -- with a supercomputer running for years, said Zero-Knowledge's President Austin Hill.

He argues against intimate Web-based communication in general.

"The Web was never built for privacy and security," Hill said. For instance, Microsoft's recent release of its Passport product, which gives Hotmail users a single login for all Microsoft services, is a bad idea, he said.

"Anyone who broke through their security system can assume my identity and do things like change my password, see my appointments and get a list of my friends," he said.

If free is what you want, Zero-Knowledge is a close approximation. It's modestly priced at $10 a pseudonym, starting with a 5-name option at $50. The software, which must be operating on every computer where you wish to use your pseudonyms, is free. Zero-Knowledge currently is releasing beta versions for free.

Anonymizer.com is a free Web-based application that cloaks the identity of e-mail. It is not designed for massive e-mailing between friends and business partners, though.

But if you're looking for protection from nosy governments, Anonymizer.com and Zero-Knowledge's Freedom may be the ticket.