ad info
   personal technology

 Headline News brief
 news quiz
 daily almanac

 video archive
 multimedia showcase
 more services

Subscribe to one of our news e-mail lists.
Enter your address:
Get a free e-mail account

 message boards

CNN Websites
 En Español
 Em Português


Networks image
 more networks

 ad info



Tack this on to Web e-mail security -- attachments


September 21, 1999
Web posted at: 1:04 p.m. EDT (1704 GMT)

In this story:

'Key management is the Holy Grail'

Many options available

What the experts sa


By Robin Lloyd
CNN Interactive Senior Writer

(CNN) -- As developers and start-ups attack the Web e-mail privacy issue, encryption products for the masses are multiplying, with a company based in Anguilla, in the West Indies, now in tests for sending secure attachments.

HushMail, a free, fully-encrypted Web-based e-mail service that gets high marks from some computer privacy specialists, has posted an alpha version of its secure document delivery service on its Web site.

The service offers SSL, or Secure Sockets Layer, security for attached documents that may be sufficient for most users -- it relies on 128-bit private keys.

"SSL is a valid security protocol," said HushMail co-founder Jon Gilliam, "though these days it's getting less and less valid because people are cracking up to 512-bit encryption."

Many e-commerce sites rely on SSL to protect online consumers from credit card fraud and identity thieves. HushMail will keep up with the times and upgrade its security for attachments if necessary, Gilliam said.

Based outside the United States, HushMail can dodge restrictions on the export of strong cryptography -- although those constraints may change soon with an announcement last week by President Clinton that he will relax those standards.

'Key management is the Holy Grail'

HushMail came on the scene four months ago with a Web-based e-mail service that provides 1024-bit key encryption for messages. Members sign in with a "passphrase" and can send encrypted messages to other HushMail addresses.

The current state of browser technology prohibits HushMail and anyone else from using highly secure end-to-end encryption for attachments, Gilliam said.

For longer-key security, users can include documents within messages rather than sending them as attachments, he said.

"Key management is the Holy Grail of this whole thing," Gilliam says. Keys, or long strings of 1s and 0s, generally are required to open encrypted messages.

HushMail's "passphrase" generates a key on the company's servers in Canada, so that users can open encrypted messages without knowing the sender's key.

Unlike some of its competitors, HushMail's code is open -- anyone who can read the stuff is free to check out their claims.

An alpha test of the attachments feature can be found at

Many options available

Recent breaches in Microsoft's free Hotmail service on the Web have piqued interest in more secure e-mail alternatives, although Microsoft says the worst breach has been closed and its commitment to security is tight.

Regardless, Hotmail's service certainly is not encrypted. For free encrypted e-mail on the Web, users must turn to HushMail or a competitor -- for instance, or Network Associates' Pretty Good Privacy., based in California, provides Web-based e-mail that allows users to scramble and lock e-mail messages they send, have them unlocked by only their intended target at the other end via a shared password and effectively shredded after they are read.

But Ziplip's encryption key is shorter - 128 bits. And PGP can be challenging to use for even seasoned computer users.

Web-based e-mail can never be entirely secure, some say, and it's safer to go with downloadable products like Montreal-based Zero-Knowledge System's beta release of its Freedom software, which provides pseudonymous Web surfing, e-mail and chatting with strong encryption.

But that product costs about $50 and provides more security than typical users want or need. These may be more useful to companies or citizens dodging repressive governments.

What the experts say

Cryptography specialists differ on which product is best, saying it depends upon a user's needs.

Bruce Schneier, author of "Applied Cryptography" and a monthly newsletter on encryption, criticizes those who point to long keys to bolster their claims of high security.

Snoopers can find ways around the keys about which some security software companies boast, he said.

"They're saying, 'We use this impressive lock on our screen door. Nobody's going to pick it.' Instead, they're going to take a rock and scissors and cut out the screen," Schneier said.

For instance, HushMail's passphrase is short enough to be hacked, Schneier said. Users generally can only remember passphrases about 30 characters long.

But few people have the time and know-how to spend two or three weeks figuring out back doors into so-called secure solutions -- on the Web and elsewhere.

"You're not choosing the best cryptography. You're choosing a product you want," he said. He recommended a PGP-based product and something with a passphrase.

Hushmail has a "lock-out" feature to block attempts to repeatedly guess passphrases.

Jim Reavis, founder of, reviews security solutions for corporations and says Schneier sets the bar a bit too high. Reavis recommends HushMail.

"I'm looking for open source, something that wasn't using JavaScript because that seems to have lots of security vulnerabilities and something that has publishable algorithms," Reavis said, also stated he'd prefer a Web-based solution.

PGP isn't Web-based and's code is closed.

"It looked like [HushMail] had those four features covered," Reavis said.
Air Force tunes in radio for e-mail link
September 20, 1999
Internet privacy issues focus of Paris summit
September 16, 1999
Status of Hotmail privacy unclear
August 30, 1999
Status of Hotmail privacy unclear
August 30, 1999
Federal agency recruits hacker teens
August 26, 1999
Anti-gay site goes back to rightful owners
August 23, 1999
Hackers, IT consultants embrace free security tool
August 13, 1999
Hacking group reveals IP-security glitch
August 13, 1999
Hacking your way to an IT career
August 13, 1999
Microsoft says "crack this!"
August 6, 1999

Network Associates
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.