[cryptography] open letter to Phil Zimmermann and Jon Callas of Silent Circle, re: Silent Mail shutdown
iang at iang.org
Sat Aug 17 05:30:40 EDT 2013
On 17/08/13 00:46 AM, Zooko Wilcox-OHearn wrote:
> ... This was
> demonstrated in the Hushmail case in which the U.S. DEA asked Hushmail
> (a Canadian company) to turn over the plaintext of the email of one of
> its customers. Hushmail complied, shipping a set of CDs to the DEA
> containing the customer's messages.
> The President of Hushmail `emphasized`_ in interviews with journalists
> at the time that Hushmail would be able to comply with such orders
> regardless of whether the customer used Hushmail's “client-to-server”
> (SSL) encryption or its “end-to-end” (Java applet) encryption.
> .. _emphasized: http://www.wired.com/threatlevel/2007/11/hushmail-to-war/
> Phil had been Chief Cryptographer of Hushmail years earlier, and was
> still a member of the Advisory Board of Hushmail at the time of that
> case. He commented about the case at that time, and he also `stated`_,
> correctly, that the Hushmail model of *unverified* end-to-end
> encryption was vulnerable to government coercion. That's the same
> model that Silent Circle uses today.
> .. _stated: http://www.wired.com/threatlevel/2007/11/pgp-creator-def/
As I was involved in Hushmail at the very early stages, I suppose I can
add some words here.
This was always known as the weakness of the model. The operator could
simply replace the applet that was downloaded in every instance with one
that had other more nefarious capabilities. There were thoughts and
discussions about how to avoid that, but a simple, mass market solution
was never found to my knowledge  which rendered the discussions moot.
I don't think the company ever sought to hide that vulnerability.
Also, that vulnerability was rather esoteric as it required quite
serious levels of cooperation. So the bar was still high.
There were two reasons why this was a reasonable risk to accept.
1) There was a far greater danger that most cypherpunks ignored -- The
capability to hack or subpoena your counterparty's emails was far more
of a danger to the individual than any concerted
Hushmail-government-applet replacement. This is why I sometimes say
that the threat is always on the node, as to a good order of
approximation, most threats and most risks are concentrated on the node,
and classical CIA provides far less than one thinks in the aggregate if
that threat is ignored.
2) The service did provide something that no other provided: easy
access to a good crypto email service. It's utility far exceeded that
of the only serious contender, PGP. So it got encryption out to the
masses. And, those masses could then appreciate and learn ... and some
did use both hushmail and PGP at the same time.
 Also, it's fair to say that applets themselves held early promise
that was never really capitalised on (possibly because of the
browser/language wars at the time). If applets had developed, and if
attention had been paid in browser vendors to real security risks by
users, then we might have made some headway.
More information about the cryptography