HushMail.com - click for Home Page
 
HushMail.com - click for Home PageLoginSign UpAbout HushMailHelp
FAQs
 

General questions

Technical Questions

  1. What is HushMail?

  2. What's New in Version 1.4?

  3. Does Hush offer digital signatures?

  4. Can I sign messages that I send to non-Hush users?

  5. Can I attach files to my email messages? Can I receive attachments?

  6. How do I use HushMail attachments?

  7. How does HushMail transfer attachments? Is this process secure?

  8. Is there a size restriction on the messages and attachments I send/receive? Why?

  9. Will HushMail work on my Macintosh computer?

  10. I already have an email address. Why do I need HushMail?

  11. How much email can I store? Can I pay for more storage?

  12. How is HushMail different from HotMail™ or Yahoo™?

  13. Do I need special software to use HushMail?

  14. Do I need an Internet connection to use HushMail?

  15. Is it possible to communicate with people that aren't using HushMail?

  16. Why am I unable to print from an opened HushMail plaintext message or attachment?

  17. When I try to send HushMail to a non-HushMail address, the "Send Securely" box becomes unchecked. Why?

  18. When will you have (a) spell checking, (b) mail forwarding, and (c) changeable fonts?

  19. Why does HushMail ask for personal information?

  20. Will my name and email address be sold to other companies?

  21. Can I change my passphrase? What if I forget my passphrase? Can Hush change my passphrase?

  22. Is there a way to change my username?

  23. How do I delete my HushMail address?

  24. How can I save HushMail messages to my hard drive?

  25. Where can I report spam that involves a HushMail address?

  26. I use an Internet fax service that directs all incoming faxes to my email address. Can I direct my faxes to HushMail?

  27. How do I sign up for Email Notification?

  28. I'm having login problems. Help.

  29. After I enter my passphrase the screen (1) freezes, (2) becomes blank and blue, or (3) becomes a big gray box on a blue background. What is the problem?

  30. Why won't HushMail work with my WebTV connection?

  31. Help the HushMail server is down or isn't responding!

  32. Internet Explorer is asking me security questions. What should I tell it?

  33. Can I post to newsgroups from HushMail?

  34. Does HushMail have a "back door" that can be accessed by government agencies?

  35. What if my message is subpoenaed?

  36. How can I be sure that intruders or hackers cannot break into my email?

  37. Are you pursuing partnerships with other companies or organizations?

  38. Does your company offer stock?

  39. When will the next version of HushMail be released?

  40. Will it be possible for HushMail users to post suggestions?

  41. Is there any way to create an alias to map several email addresses?


Technical Questions

General Questions

  1. Where can I find a high level technical description of HushMail account creation and usage?

  2. How many machines does my mail go through as it crosses the Internet?

  3. What role does Java™ play in the HushMail solution?

  4. What is Blowfish and how is it involved in the HushMail solution?

  5. How can it be proved that the HushMail system is actually secure?

  6. How can I be sure the Web site I visit is really www.hushmail.com?

  7. How can I be sure the applet I run is really Hush's?

  8. Does HushMail have access to my private keys?

  9. What do the technical and cryptographic communities think of HushMail?

  10. When I set up an address, do I need to send my public key to my messaging partner?

  11. Since the encryption is done on my local machine, why can't I keep the private key on my computer?

  12. How do I enable Java™ on my browser?

  13. Do I need to turn off JavaScript™?

  14. My browser says I have an expired Thawte certificate. How do I renew it?

  15. Is there any way the recipient of a Hush message knows the IP number I am sending from?

  16. Does Hush track IP addresses of visitors and address holders?

  17. Do you keep logs of IP addresses of people logging in?

  18. Will there ever be a non-Java™ version of HushMail?

  19. Isn't there a little bit of JavaScript™ in your entry page that checks your users for browser versions? Couldn't this cause a security breach?

  20. How can I use public key fingerprints to verify that I am actually encrypting messages to whom I think I am?

  21. I can't ping or traceroute to the HushMail servers; Does this mean there is a problem?

  22. Can HushMail protect against keystroke recording?


General Questions

  1. What is HushMail?

    Hush Mail is the world's first, fully encrypted, free Web-based email service. Hush's state-of-the-art technology keeps our users' online communications private. Free and easy to use, HushMail works similarly to other Web-based email providers, except HushMail offers the security of 1,024-bit encryption between Hush users. With HushMail, users can access their address from any computer that has a Web browser and Internet access.

    Sign up for a HushMail account.

    Back to top

  2. What's New in Version 1.4?

    Hush Communications continually strives to improve the quality of its service and the experience of using HushMail for our growing customer base. In version 1.4 we have made the following changes and additions:

    • The ability to forward email with file attached.
    • The ability to digitally sign messages to non-Hush users. Messages can be verified at the Hush.com website.
    • A new look and feel to the site.
    • The ability to delete an attachment to a received email without deleting the actual message text.

    Back to top

  3. Does Hush offer digital signatures?

    Hush now offers its users the ability to digitally sign messages. This feature allows Hush users to verify with mathematical certainty that the message received originated from the anticipated or listed Hush account in the address line of their inboxes. Hence, a digital signature lets the recipients of the message know exactly who has sent a particular message.

    Here's how to sign and verify Hush messages with a digital signature:

    • To Sign A Message simply check the box located at the top of the Compose box that reads, "Sign Message". Once clicked, the Hush system automatically creates a mathematical signature for the message.

    • To Verify A Message simply click the "Verify" button at the top of the email window. Once the "Verify" button is clicked, a mathematical operation will be performed to prove that the message was actually sent from the address shown. If the result is positive, Hush users can be sure that the message is not only secure, but authentic as well.

    This will assure you that the message originated from the true owner of the indicated email address, and that it has not been altered in transit.

    Digitally signing messages is optional. It can take up to two seconds to sign a message on some computers.

    Back to top

  4. Can I sign messages that I send to non-Hush users?

    Hush users will be able to send digitally signed messages to anyone in the world with an active email account. However, non-HushMail users will need to verify the signature at the following URL: https://www.hush.com/tools

    Here's how non-HushMail users verify digitally signed Hush messages:

    1. To verify a message, go to: https://www.hush.com/tools
    2. Copy and paste the entire message into the application as illustrated.
    3. Click "Verify", and wait for a confirmation message to be displayed.

    This will assure non-HushMail users that the message originated from the true owner of the indicated HushMail address, and that the content (or message) has not been altered in transit.

    Back to top

  5. Can I attach files to my email messages? Can I receive attachments?

    Absolutely. In fact, Hush has made important upgrades to its HushMail attachment feature.

    • We've made attachments safer than ever. We've increased security by wrapping attachments with the same end-to-end encryption that protects all HushMail messages sent between Hush users.

    • We've made attachments easier to use: Hush users will now be one click away from choosing the file or image they'd like to attach to their mail. Simply click on "Compose" and look for the "Attach File" button in the top right-hand corner of the box. Click on "Attach File". Hush users will be asked to choose the file or image they intend to send. Once the file or image is uploaded, they'll be ready to send fully secured attachments.

    • We've made attachments easier to open: Once a Hush user clicks on the "View Attachments" button in the upper right-hand corner of an opened mail, they'll see a pull-down menu with all the attachments listed and ready to be downloaded or opened. Simply click on "View Attachments" and save the attachment directly to your hard drive.

    Back to top

  6. How do I use HushMail attachments?

    To send an attachment, simply click on "Compose" and look for the "Attach File" button in the top right-hand corner of the message template. Click on "Attach File", then, choose the file or image to be sent. Once the file or image is uploaded, it can be sent.

    To open an attachment, click on the "View Attachments" option in the upper right-hand corner of an opened mail, a pull-down menu will appear with all the attachments listed and ready to be downloaded or opened. Simply click on "View Attachments" and save the attachment directly to your hard drive.

    Back to top

  7. How does HushMail transfer attachments? Is the process secure?

    HushMail's Attachment Feature offers an end-to-end secure, fully encrypted solution for Hush users who would like to send files and images in addition to an encrypted text message.

    Attachments, sent by Hush users, are encrypted and transferred in the exact same fashion as regular, text messages. The attachment is fully encrypted and secure between Hush users, regardless of the means used to transfer it.

    No other Web-based service can match the complete security offered by HushMail. Unlike other "secure" Web-based email services, the Hush system uses its users' passphrases to open attachments. There is no need to deliver a separate secret key to messaging partners in order to unlock email. Additionally, the Hush system doesn't require Hush users to "go get" -- or link to - a message or attachment sitting on a remote server. The entire encryption process is handled for Hush users seamlessly and without interruption to their use of their HushMail account.

    The High Level Technical Description thoroughly explains the Hush encryption process.

    Back to top

  8. Is there a size restriction on the messages and attachments I send/receive? Why?

    HushMail caps the size of messages sent or received by a Hush user at 32K. This cap prevents attachments or images from accidentally making their way into a Hush address. Hush users can send and receive attachments up to 1MB in size.

    NOTE: Netscape™ users have serious restrictions regarding the size of both plaintext messages and attachments. The amount of text that will fit into a HushMail message is 32K. The total amount of information that can be sent between both plaintext messages and attachments cannot exceed 500K.

    These unfortunate Netscape™ size limitations are a direct result of how the Netscape browser architecture allocates memory. At the present time, Hush is unable to provide a solution that accommodates Netscape's shortcomings.

    Back to top

  9. Will HushMail run on my Macintosh™ computer?

    HushMail does not currently work on Apple Macintosh™ computers.

    Back to top

  10. I already have an email address. Why do I need HushMail?

    Email is no longer just a way to send memos at work or birthday wishes to Mom. Email is increasingly how people do business, bank, make consumer choices, read the news, and communicate with the world. Many of us assume that the information we transmit is as secure as a letter or as private as a conversation between two people.

    All electronic messages are sent through a vast system of routers and servers. Some transmissions travel as far as the satellites that orbit the Earth. At points along this path, messages can be stored, digital signatures logged, and the contents of private conversations and business transactions can be retrieved, read, and used.

    For the first time, a product is available that is both easy to use and provides state-of-the-art security. HushMail provides similar functionality as any other Web-based email service, but with the added protection of privacy, security, and very powerful 1,024-bit encryption.

    Back to top

  11. How much email can I store? Can I pay for more storage?

    Hush offers its customers Premium Accounts. With a HushMail Premium Account users receive 25Mbs of storage space as well as first access to all future upgrades and features of HushMail. For the low cost of $60, you can become a HushMail Premium Account holder. Visit the Premium Accounts page for more information or to sign up.

    Back to top

  12. How is HushMail different from HotMail™ or Yahoo™?

    HushMail is the world's first fully encrypted, easy-to-use, Web-based email service.

    • No other service provides END-TO-END security.

    • No other service is as EASY-TO-USE.

    • No other service transparently manages PUBLIC AND PRIVATE KEYS.

    HushMail and the larger Web-based email providers differ in one critically important way: HushMail offers complete privacy and security, while Hotmail™ and Yahoo™ do not. HushMail's secure system allows Hush users to communicate between each other with the security of bulletproof 1,024-bit encryption.

    Features of HushMail such as the Address Book and Folders are housed entirely within the Java applet that contains HushMail. Therefore, users don't have to wait to reload the entire Web page when accessing their address books or folders, unlike Yahoo ™ and HotMail ™.

    Back to top

  13. Do I need special software to use HushMail?

    No. You just need access to the Internet and the latest Web browser.

    For optimal performance run HushMail on the latest Microsoft's Internet Explorer ™ version, however HushMail will run on earlier versions of Internet Explorer ™.

    HushMail is also compatible with Netscape Communicator ™. However, Netscape Communicator ™ has serious limitations regarding the size of messages and attachments that can be sent safely through its system. Netscape Communicator ™ limits the size of messages and attachments to no larger than 500K. Text within a HushMail message cannot exceed 32K. Anything larger will interrupt service to HushMail.

    HushMail is compatible with Microsoft's Windows 95 ™, Windows 98 ™, Windows NT ™, and many other operating systems.

    Unfortunately, HushMail does not work on the Macintosh OS at this time.

    Back to top

  14. Do I need an Internet connection to use HushMail?

    HushMail is located on the World Wide Web. To gain access to the World Wide Web, you must be connected to the Internet.

    HushMail is absolutely free! There is no software that users need to buy or install to access HushMail. Once on the Web, anyone can create a HushMail address.

    Back to top

  15. Is it possible to communicate with people that aren't using HushMail?

    Yes. Hush users can send and receive messages to anyone with an email address. The HushMail system is like an electrical circuit. For the circuit to work properly, it must be closed. When one Hush user talks to another Hush user, the security circuit closes, and the mail is protected by Hush's 1,024-bit state-of-the-art encryption engine.

    Back to top

  16. Why am I unable to print from an opened HushMail plaintext message or attachment?

    The reason Hush users can't print directly from an opened plaintext message or attachment is because Hush uses a Java ™ applet as an integral part of its encryption process. Java ™ never accesses the hard drive of a Hush user's computer; therefore, plaintext messages and attachments sent via HushMail are never downloaded to them. If that information were downloadable, all Hush users would be able to print directly from their accounts. However, keeping information off the hard drive is an effective deterrent to those that might have access to the hard drive without permission or knowledge of the computer's user.

    Following the steps below, Hush users will be able to complete the standard process of copying and pasting text between a HushMail message and any document editor window installed on their machine.

    1. Left click on your mouse and drag across the text you want to copy. This will highlight your chosen text.

    2. Release the mouse.

    3. Hold the "Ctrl" key down and then press the "C" key, simultaneously. This will copy your text.

    4. To paste the text into your HushMail message, click the mouse in the large white text body area of HushMail, placing the cursor where the text should begin.

    5. Then hold the "Ctrl" key down and press "V" simultaneously. The text is now pasted in place.

    Utilizing the Ctrl-C and Ctrl-V buttons on your keyboard is the only way to copy and paste text out of a HushMail document.

    Back to top

  17. When I try to send HushMail to a non-HushMail address, the "Send Securely" box becomes unchecked. Why?

    The Hush system is reminding HushMail users that the only way to send completely secure and encrypted messages is to send them between HushMail users. When a Hush user types in "@hushmail.com", the message is automatically encrypted and the "Send Securely" box is checked. When a Hush user types in an address other than a HushMail address, the box is automatically unchecked. The message will not be encrypted. In addition, a notice will appear at the top of the mailbox, which indicates that the message will not be sent securely.

    Back to top

  18. When will you have (a) spell checking, (b) mail forwarding, and (c) changeable fonts?

    These features will be available in future releases of HushMail.

    Back to top

  19. Why does HushMail ask for personal information?

    Hush provides HushMail to our users absolutely free of charge. By providing certain information you will help us to establish what your needs are and ensure that we take them into account as we improve HushMail in the future. Personal data or individual account data is never shared or sold. Further, Hush offers an account option that automatically generates a username without requiring any information from the user.

    Privacy is our business. For more information please refer to the Hush Privacy Policy.

    Back to top

  20. Will my name and email address be sold to other companies?

    Absolutely not. Please refer to our Privacy Policy for more information.

    Back to top

  21. Can I change my passphrase? What if I forget my passphrase? Can Hush change my passphrase?

    Don't lose your passphrase! The Hush system doesn't allow Hush employees access to Hush user messages or passphrases, therefore, Hush cannot help users if they misplace or forget their passphrases. So, be sure to WRITE DOWN the passphrase upon sign-up and store it in a safe place, preferably away from your PC.

    Hush users now have the option to change their passphrases.

    NOTE: If you have definitely lost your passphrase, the solution is to open another Hush address and let all your messaging partners know that you have changed your address. Remember, there is no way to retrieve old mail if you lose your passphrase.

    Back to top

  22. Is there a way to change my username?

    The only way Hush users can change their usernames is to register for another Hush address. Hush recommends that its users choose unique usernames that they'll remember.

    Back to top

  23. How do I delete my HushMail address?

    The only way to deactivate a HushMail address is to send email to info@hushmail.com from the HushMail account to be disabled. Please include a formal request within the body of the message.

    Back to top

  24. How can I save HushMail messages to my hard drive?

    Hush recommends that users copy (Ctrl-C) and paste (Ctrl-V) the contents of desired plaintext messages into text files or documents on their desktops.

    Following the steps below, Hush users will be able to complete the standard process of copying and pasting text between a HushMail message and any document editor window installed on their machine.

    1. Left click on your mouse and drag across the text you want to copy.

    2. This will highlight your chosen text.

    3. Release the mouse. Hold the "Ctrl" key down and then press the "C" key, simultaneously. This will copy your text.

    4. To paste the text into your HushMail message, click the mouse in the large white text body area of HushMail, placing the cursor where the text should begin.

    5. Then hold the "Ctrl" key down and press "V" simultaneously. The text is now pasted in place.

    Utilizing the Ctrl-C and Ctrl-V buttons on your keyboard is the only way to copy and paste text out of a HushMail document.

    Back to top

  25. Where can I report spam that involves a HushMail address?

    Any spamming activity should be reported to Hush immediately. Please email postmaster@hushmail.com.

    Back to top

  26. I use an Internet fax service that directs all incoming faxes to my email address. Can I direct my faxes to HushMail?

    Hush users can have faxes or email forwarded to their HushMail accounts. Hush recommends that forwarded faxes containing logos or images be sent as attachments.

    Back to top

  27. How do I sign up for Email Notification

    When you have logged into your HushMail account click on the "paging" link in the toolbar at the top of the page. You'll be asked to enter your passphrase. You will be taken to a page where you'll be asked to enter an alternate (NON-HUSH) email address. When you receive email in your HushMail inbox, Hush automatically sends your alternate email address a notice of newly arrived HushMail.

    Remember: You must enter a NON-HUSH address in the space provided in order for the Email Notification service to work. It is also important you enter the correct address, to avoid notifying the wrong address of activity in your HushMail account.

    Back to top

  28. I'm having login problems. Help.

    If you are using Microsoft's Internet Explorer ™ 5 and are having problems either signing up or checking your mail, make sure that you have the Microsoft™ VM installed and enabled. This may be downloaded from Microsoft™ at: http://www.microsoft.com/java/vm/dl_vm40.htm.

    For help in turning on Java™ in Internet Explorer ™, please click here.

    If you are still experiencing problems logging into your HushMail address, please send a message to info@hushmail.com with a description of the problem and the type of Web browser you are using. If possible, include the browser version number. To determine which browser version you are using, click on the "Help" menu and then, click on the "About" option.

    If you are creating a new HushMail address and are experiencing problems, please send a detailed description of the problem to info@hushmail.com.

    Back to top

  29. After I enter my passphrase the screen (1) freezes, (2) becomes blank and blue, or (3) becomes a big gray box on a blue background. What is the problem?

    If the screen freezes or changes colors and freezes after you've entered your passphrase and you're using Netscape ™, try hitting the "Shift" button on your keyboard while simultaneously clicking on the "Reload" button found on the menu bar of your browser. Netscape ™ may be trying to load a cached or old version of the site.

    This recommendation will not work if you are using Microsoft's Internet Explorer ™. If your screen freezes or changes color and freezes, close the browser and re-enter your username and passphrase.

    Persistent login difficulties should be reported to info@hushmail.com.

    Back to top

  30. Why won't HushMail work with my WebTV connection?

    WebTV users cannot use HushMail because WebTV does not implement Java. HushMail relies upon a Java applet, so our services will not work together.

    Back to top

  31. Help, the HushMail server is down or isn't responding!


    You may be trying to access your HushMail account during routine maintenance downtime or the routers and servers that carry Internet messages may be busy in your area. If the problem persists for more than a few hours, email info@hushmail.com.

    Back to top

  32. Internet Explorer is asking me security questions. What should I tell it?

    Depending on how the security settings in Microsoft's Internet Explorer ™ are configured, Hush users may be prompted to answer a few security questions. Answer, "Yes" when asked the following questions. Answering, "No" to these questions will result in functionality problems.

    Scripts are usually safe. Do you want to allow scripts to run?
    Click "Yes".
    Do you want to allow scripts to access Java applets?

    Click "Yes".

    A script is accessing some software (an ActiveX control) on this page which has been marked safe for scripting. Do you want to allow this?
    Click "Yes".

    A bug in Microsoft's Internet Explorer ™ prompts these dialogue boxes. The bug causes Internet Explorer ™ to think HushMail's Java applet is an Active X control. HushMail does not use ActiveX controls.

    NOTE: Setting the security levels to "Medium" will eliminate all future warnings.

    Back to top

  33. Can I post to newsgroups from HushMail?

    Not at this time. Hush will offer this feature in an upcoming version of HushMail.

    Back to top

  34. Does HushMail have a "back door" that can be accessed by government agencies?

    No. Email, which includes attachments, sent between Hush users is completely encrypted.

    Back to top

  35. What if my message is subpoenaed?

    Hush will answer valid, court-issued subpoenas. However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version.

    Back to top

  36. How can I be sure that intruders or hackers cannot break into my email?

    Hush has made its source code available for inspection and review. Interested parties can download and review Hush's source code by visiting www.hush.ai. A technical explanation is also available on this Web site.

    Back to top

  37. Are you pursuing partnerships with other companies or organizations?

    Hush is available and interested in partnerships, alliances, and other business development opportunities.

    For more information, please email alliances@hushmail.com.

    Back to top

  38. Does your company offer stock?

    Hush is a privately held company, and therefore, does not offer publicly traded stock.

    Back to top

  39. When will the next version of HushMail be released?

    Team Hush is very interested in feedback from our customers as we are constantly reviewing our source code and technology. We expect to release version 2.0 in the first half of 2001. If you have any suggestions for features you would like to see added, please fill out our contact form.

    Back to top

  40. Will it be possible for HushMail users to post suggestions?

    Hush is currently developing a number of interfaces for comment, suggestion, and feedback. In the meantime, please send all suggestions to info@hushmail.com.

    Back to top

  41. Is there any way to create an alias to map several email addresses?

    Yes. Simply click "Addresses" on the left side of the email window. Then, click "New Address". In the "Email Address" field, Hush users can list up to 25 email addresses. This list can be accessed via the nickname entered into the "Nickname" field that is on the pull down menu on the "Compose" screen. For more details click here.

    Security Note: If you list Hush users on an email address list, the individual public key fingerprints of these recipients will not be stored. Hush advises that, in addition to the list, you make a separate entry for every Hush email address you send to, ensuring that public key fingerprints will be verified every time a message goes out.

    Back to top


Technical Questions

  1. Where can I find a high level technical description of HushMail account creation and usage?

    You can find such a description on this Web site by clicking here.

    Back to top

  2. How many machines does my mail go through as it crosses the Internet?

    To see the pathway of your sent email, open an MS-DOS client while connected to the Internet and type:

    tracert computer.name

    "computer.name" represents the address that appears after the "@" symbol of the address being sent a message. A list of every machine the message is routed through will appear. Each of these machines and every machine on the same local network of any of the machines listed have access to the message. If a network has hundreds of machines on it, the message is that much more susceptible or vulnerable to unauthorized review or storage. Ultimately, this exercise displays the number of routers involved in transporting a message from a Hush user's computer to the Hush servers.

    Back to top

  3. What role does Java™ play in the HushMail solution?

    Java ™ allows Web-browsers to download and run small applications, known as "applets", on the fly. HushMail messages are encrypted on the client machine, within the Java ™ applet. Messages do not have to travel to a remote server before they are encrypted. The Java ™ applet is loaded directly into the browser to encrypt the email before it's sent. Email must be sent and received to and from Hush addresses to fully utilize the security of this applet-based cryptosystem.

    Back to top

  4. What is Blowfish, and how is it involved in the HushMail solution?

    Blowfish is a type of 128-bit symmetric block cipher. When combined mathematically with a Hush passphrase, the Blowfish algorithm encrypts the private keys of Hush users. This occurs before the key is stored on HushMail's very secure key server. The only thing that can decrypt the private key is a Hush passphrase combined with the Blowfish algorithm.

    Back to top

  5. How can it be proved that the HushMail system is actually secure?

    Hush is proud of its reputation for security and has had a lot of positive feedback from industry, experts and users. The Java source code for HushMail is available to everyone, free of charge. Security experts and computer enthusiasts worldwide have the unrestricted ability to test the strength of the Hush cryptographic system. The source code can be reviewed and downloaded at www.hush.ai. In addition, a full technical description of the functionality of the system is available here.

    Back to top

  6. How can I be sure the Web site I visit is really www.hushmail.com?

    If Hush users log in at https://www.hushmail.com, they are guaranteed to communicate only with the legitimate HushMail servers. (The "s" in "https" stands for "secure".) However, if users login at http://www.hushmail.com, they should check that the address line reads, "https://(enter something here).hushmail.com", when checking mail. If a different domain name appears, other than www.hushmail.com, in the address line, or if the "https:" tag is missing, DO NOT ENTER YOUR PASSPHRASE.

    Hush encourages its users to always log in at https://www.hushmail.com.

    Back to top

  7. How can I be sure the applet I run is really Hush's?

    The HushMail applet is digitally signed with a certificate owned by Hush Communications. The first time you log into your account, your Web browser will ask you to accept the certificate. If the certificate says, "Hush Communications" you can be sure the applet comes from Hush.

    Back to top

  8. Does HushMail have access to my private keys?

    Hush never actually possesses the private keys of any of its users. Private keys are created on the local machines of Hush users when they create their accounts, and are symmetrically encrypted, one key for both encryption and decryption with individual Hush user passphrases. Then, the encrypted private keys are sent to the Hush server and are stored there. Further, a secure one-way hash of each individual user's passphrase is generated on the user's local machine. The one-way hash is, then, stored on the Hush server. This one-way hash can only be derived from an individual passphrase, but the passphrase cannot be recovered from the one-way hash.

    When a Hush user logs on to www.hushmail.com and enters their passphrase, the passphrase is hashed in the same way, and the one-way hash is sent to the Hush server for authentication. Passphrases are never sent to the Hush server, so Hush never has access to them, nor can Hush retrieve them. For example, after an individual passphrase has been authenticated, the Hush server sends the user's browser (Netscape ™/Internet Explorer ™) the encrypted private key. The private key is then, decrypted, locally, using the Hush user's passphrase. At that point, the user can read their messages.

    Back to top

  9. What do the technical and cryptographic communities think of HushMail?

    Hush welcomes the input of the cryptographic community. We strongly believe in the presentation and review of open source code. Hush's source code is available at www.hush.ai.

    Bruce Schneier, one of the world's best-known cryptographic experts, reviewed our product in his monthly newsletter to security experts worldwide. We're delighted that he's taken the time to comment on our system. Bruce Schneier's review and our response are both available on the Web:

    www.counterpane.com/crypto-gram-9908.html

    www.hushmail.com/bruce_comments

    Back to top

  10. When I set up an address, do I need to send my public key to my messaging partner?

    No. Both the public and private keys are kept on the secure Hush servers. Hush users' private keys are encrypted by their HushMail passphrase before they're stored. Public keys are retrieved automatically by the applet when Hush users want to send messages.

    Back to top

  11. Since the encryption is done locally, why can't the private key remain on my computer?

    If the private key were to be stored on a local machine, it would not be possible to use HushMail from any other client machine. One of the key features of Web-based email is the ability of Web-based email users to access their mail from anywhere in the world.

    Back to top

  12. How do I enable Java on my browser?

    For Netscape™:

    • Pull down the "Edit" menu
    • Next, select "Preferences"
    • Select "Advanced"
    • Check the box that says, "Enable Java ™"

    In Internet Explorer™:

    • Pull down the "Tools" menu
    • Next, select "Internet Options"
    • Select "Advanced"
    • Scroll down to the "Java™ VM" section
    • Check the box that says, "JIT compiler for virtual machine enabled"

    Back to top

  13. Do I need to turn off JavaScript?

    No. Do not turn off JavaScript.

    Back to top

  14. My browser says I have an expired Thawte certificate. How do I renew it?

    The following is the procedure for installing a new Thawte Certificate onto a Web browser. Some Hush users have older browsers, and when the certificates they contain expire, users must follow the procedure to renew the certificates.

    For Netscape™:

    In some cases, if you are using Netscape™, you must remove your old certificate before installing the new, up-to-date certificate. To do this:

    1. Go to Communicator -> Tools -> Security Info
    2. Click on "signers" under "certificates".
    3. Select "Thawte Server CA".
    4. Click delete.
    5. Access http://www.thawte.com/serverbasic.crt
    6. Continue through the installation dialog.
    7. For the name of the certificate, enter "Thawte™ Server CA".

    For Microsoft's Internet Explorer™:

    1. Access http://www.thawte.com/serverbasic.crt
    2. When prompted, choose to open the file from its current location.
    3. When the certificate information box appears, choose to "install" the certificate.
    4. For the name of the certificate, enter "Thawte™ Server CA".

    Back to top

  15. Is there any way the recipient of a Hush message knows the IP number I am sending from?

    No.

    Back to top

  16. Does Hush track IP addresses of visitors or address holders?

    No.

    Back to top

  17. Do you keep logs of IP addresses of people logging in?

    No.

    Back to top

  18. Will there ever be a non-Java™ version of HushMail?

    Not yet. However, Hush is currently developing a variety of online communications products.

    Back to top

  19. Isn't there a little bit of JavaScript™ in the Hush entry page that checks the browser versions of Hush users? Couldn't this cause a security breach?

    While there is JavaScript ™ within the entry page of HushMail, Hush has no intention to surreptitiously collect information about our users, and therefore, the script does not pose a security risk. HushMail's JavaScript ™ is completely harmless.

    Review Hush's Privacy Policy.

    Back to top

  20. How can I use public key fingerprints to verify that I am actually encrypting messages to whom I think I am?

    For those Hush users who desire extra assurance that the intended recipient will be the only party to receive a message, the following public-key authentication procedure can be followed:

    • Add an entry in the address book for the address associated with the public key identified for verification.

    • After saving the entry, click on the "Edit" button for the entry.

    • A public key fingerprint for the entry will appear on the "Status Bar" at the bottom of the screen. [Note: fingerprints will only appear for addresses @hushmail.com.].

    • Have the recipient of the message go to their address screen and click "Show My Fingerprint".

    • Each party must verify the fingerprints seen are identical.

    • Send the message.

    In the future, every time a Hush user access that public key, it will be checked against the public key fingerprint identified, and the Hush system will automatically send a warning if there is no such match. The record, of course, must remain in the address book for the system to work.

    It is important to note that Hush will never send an improper public key, and therefore, this procedure is not necessary for secure communication with HushMail. However, it is an added safeguard against misspellings of addresses and other inadvertent human errors. This process exists to reassure those who do not trust the key archiving of any institution.

    Specific information regarding this process and the Hush source code can be reviewed and downloaded at www.hush.ai.

    Back to top

  21. I can't ping or traceroute to the HushMail servers; Does this mean there is a problem?

    Ping and traceroute are network diagnostic tools that enable system administrators to determine the availability of and network routing to hosts across the Internet. These tools can also be used maliciously, to disrupt the normal functions of hosts and networks, and therefore are not appropriate for use on HushMail servers. Attempts to reach the HushMail network using ping or traceroute will fail, but this is normal and does not indicate any disruption in service.

    Back to top

  22. Can HushMail protect against keystroke recording?

    Hush cannot protect the user against this kind of security threat as our system is designed to ensure secure transmission of data between computers only. If a HushMail user's private computer has been compromised or if they are accessing their HushMail account from the workplace where keystroke recording software is installed, their HushMail passphrase may be accessed by a third party. To combat keystroke recording software, we suggest you:
    • Change your HushMail passphrase regularly
    • Choose a secure passphrase
    • Update your virus checking software regularly
    • Send sensitive communications through your private/home computer

Back to top

Top

 
© 2001 Hush Communications. All Rights Reserved.