[cryptography] open letter to Phil Zimmermann and Jon Callas of Silent Circle, re: Silent Mail shutdown

ianG iang at iang.org
Sat Aug 17 05:30:40 EDT 2013

On 17/08/13 00:46 AM, Zooko Wilcox-OHearn wrote:
> ... This was
> demonstrated in the Hushmail case in which the U.S. DEA asked Hushmail
> (a Canadian company) to turn over the plaintext of the email of one of
> its customers. Hushmail complied, shipping a set of CDs to the DEA
> containing the customer's messages.
> The President of Hushmail `emphasized`_ in interviews with journalists
> at the time that Hushmail would be able to comply with such orders
> regardless of whether the customer used Hushmail's “client-to-server”
> (SSL) encryption or its “end-to-end” (Java applet) encryption.
> .. _emphasized: http://www.wired.com/threatlevel/2007/11/hushmail-to-war/
> Phil had been Chief Cryptographer of Hushmail years earlier, and was
> still a member of the Advisory Board of Hushmail at the time of that
> case. He commented about the case at that time, and he also `stated`_,
> correctly, that the Hushmail model of *unverified* end-to-end
> encryption was vulnerable to government coercion. That's the same
> model that Silent Circle uses today.
> .. _stated: http://www.wired.com/threatlevel/2007/11/pgp-creator-def/

As I was involved in Hushmail at the very early stages, I suppose I can 
add some words here.

This was always known as the weakness of the model.  The operator could 
simply replace the applet that was downloaded in every instance with one 
that had other more nefarious capabilities.  There were thoughts and 
discussions about how to avoid that, but a simple, mass market solution 
was never found to my knowledge [0] which rendered the discussions moot.

I don't think the company ever sought to hide that vulnerability.

Also, that vulnerability was rather esoteric as it required quite 
serious levels of cooperation.  So the bar was still high.

There were two reasons why this was a reasonable risk to accept.

1) There was a far greater danger that most cypherpunks ignored -- The 
capability to hack or subpoena your counterparty's emails was far more 
of a danger to the individual than any concerted 
Hushmail-government-applet replacement.  This is why I sometimes say 
that the threat is always on the node, as to a good order of 
approximation, most threats and most risks are concentrated on the node, 
and classical CIA provides far less than one thinks in the aggregate if 
that threat is ignored.

2) The service did provide something that no other provided:  easy 
access to a good crypto email service.  It's utility far exceeded that 
of the only serious contender, PGP.  So it got encryption out to the 
masses.  And, those masses could then appreciate and learn ... and some 
did use both hushmail and PGP at the same time.


[0] Also, it's fair to say that applets themselves held early promise 
that was never really capitalised on (possibly because of the 
browser/language wars at the time).  If applets had developed, and if 
attention had been paid in browser vendors to real security risks by 
users, then we might have made some headway.

More information about the cryptography mailing list