MESSAGE BOARDS: Hotmail Microsoft

September 21, 1999
Web posted at: 1:04 p.m. EDT (1704 GMT)

In this story: 'Key management is the Holy Grail' Many options available What the experts sa RELATED STORIES, SITES

By Robin Lloyd
CNN Interactive Senior Writer

(CNN) -- As developers and start-ups attack the Web e-mail privacy issue, encryption products for the masses are multiplying, with a company based in Anguilla, in the West Indies, now in tests for sending secure attachments.

HushMail, a free, fully-encrypted Web-based e-mail service that gets high marks from some computer privacy specialists, has posted an alpha version of its secure document delivery service on its Web site.

The service offers SSL, or Secure Sockets Layer, security for attached documents that may be sufficient for most users -- it relies on 128-bit private keys.

"SSL is a valid security protocol," said HushMail co-founder Jon Gilliam, "though these days it's getting less and less valid because people are cracking up to 512-bit encryption."

Many e-commerce sites rely on SSL to protect online consumers from credit card fraud and identity thieves. HushMail will keep up with the times and upgrade its security for attachments if necessary, Gilliam said.

Based outside the United States, HushMail can dodge restrictions on the export of strong cryptography -- although those constraints may change soon with an announcement last week by President Clinton that he will relax those standards.

'Key management is the Holy Grail'

HushMail came on the scene four months ago with a Web-based e-mail service that provides 1024-bit key encryption for messages. Members sign in with a "passphrase" and can send encrypted messages to other HushMail addresses.

The current state of browser technology prohibits HushMail and anyone else from using highly secure end-to-end encryption for attachments, Gilliam said.

For longer-key security, users can include documents within messages rather than sending them as attachments, he said.

"Key management is the Holy Grail of this whole thing," Gilliam says. Keys, or long strings of 1s and 0s, generally are required to open encrypted messages.

HushMail's "passphrase" generates a key on the company's servers in Canada, so that users can open encrypted messages without knowing the sender's key.

Unlike some of its competitors, HushMail's code is open -- anyone who can read the stuff is free to check out their claims.

An alpha test of the attachments feature can be found at www.hushmail.com/attachments.

Many options available

Recent breaches in Microsoft's free Hotmail service on the Web have piqued interest in more secure e-mail alternatives, although Microsoft says the worst breach has been closed and its commitment to security is tight.

Regardless, Hotmail's service certainly is not encrypted. For free encrypted e-mail on the Web, users must turn to HushMail or a competitor -- for instance, Ziplip.com or Network Associates' Pretty Good Privacy.

ZipLip.com, based in California, provides Web-based e-mail that allows users to scramble and lock e-mail messages they send, have them unlocked by only their intended target at the other end via a shared password and effectively shredded after they are read.

But Ziplip's encryption key is shorter - 128 bits. And PGP can be challenging to use for even seasoned computer users.

Web-based e-mail can never be entirely secure, some say, and it's safer to go with downloadable products like Montreal-based Zero-Knowledge System's beta release of its Freedom software, which provides pseudonymous Web surfing, e-mail and chatting with strong encryption.

But that product costs about $50 and provides more security than typical users want or need. These may be more useful to companies or citizens dodging repressive governments.

What the experts say

Cryptography specialists differ on which product is best, saying it depends upon a user's needs.

Bruce Schneier, author of "Applied Cryptography" and a monthly newsletter on encryption, criticizes those who point to long keys to bolster their claims of high security.

Snoopers can find ways around the keys about which some security software companies boast, he said.

"They're saying, 'We use this impressive lock on our screen door. Nobody's going to pick it.' Instead, they're going to take a rock and scissors and cut out the screen," Schneier said.

For instance, HushMail's passphrase is short enough to be hacked, Schneier said. Users generally can only remember passphrases about 30 characters long.

But few people have the time and know-how to spend two or three weeks figuring out back doors into so-called secure solutions -- on the Web and elsewhere.

"You're not choosing the best cryptography. You're choosing a product you want," he said. He recommended a PGP-based product and something with a passphrase.

Hushmail has a "lock-out" feature to block attempts to repeatedly guess passphrases.

Jim Reavis, founder of SecurityPortal.com, reviews security solutions for corporations and says Schneier sets the bar a bit too high. Reavis recommends HushMail.

"I'm looking for open source, something that wasn't using JavaScript because that seems to have lots of security vulnerabilities and something that has publishable algorithms," Reavis said, also stated he'd prefer a Web-based solution.

PGP isn't Web-based and Ziplip.com's code is closed.

Note: Pages will open in a new browser window

External sites are not endorsed by CNN Interactive.