Talk:Hushmail

Private keys ?

The most important part is missing in the article: Where are private keys stored and how does an applet running in the browser get the private key. Please add this missing part to the article urgently! — Preceding unsigned comment added by 186.105.79.45 (talk) 15:34, 18 February 2013 (UTC)

Sadly, there isn't an applet running in the browser any more. That option was removed for new accounts several years ago. The key is stored, in encrypted form, on their server, but both the message body and the password are decrypted on the server, if only momentarily, to re-encrypt with the recipient's key. To source this, please click on what is currently Citation [5] in the article, then click on the hyperlinked phrase, "technical comparison". This used to point to the actual comparison of Java vs. non-Java versions of Hush. It is still a valid link, but the security analysis to which it points says nothing at all about Java, and there are no other options. So, no more AES-256 as originally designed, and no endpoint-to-endpoint (user-to-user) full encryption.

I have a grandfathered account that still runs the Java applet, but you can't open a new account with Java. Perhaps if I send to another old Java-enabled Hush account, it still may stay AES-256 all the way through. I don't know enough about crypto to know. If it's sent to a non-Java account, surely there are the same potential vulnerabilities, at least once it reaches their server. If you read all of their documentation, including the threat analysis, method of secruring, etc., you may find it appropriate to edit the article. However, since Java versions like mine may still be out there, the sentence regarding the potential of being forced to send a compromised Java applet under court order is still a valid statement.

Overall, it's still probably better than conventional web mail, even those that offer SSL connections, because your stored messages remain fully encrypted on Hush's server, fairly immune from all but a court order, except when you are actually logged in. I think it likely that conventional services that offer SSL connection to the web server will still store all of your messages in plain text on their servers. So Hush is still probably better than "nothing", though a lot weaker than it used to be. Unimaginative Username (talk) 04:05, 29 April 2013 (UTC)

NPOV Issues

Please review NPOV issues re differences between these versions: http://en.wikipedia.org/w/index.php?title=Hushmail&diff=168025454&oldid=166787296. Uncompressed 21:26, 30 October 2007 (UTC)

"The Patriot Act has endangered civil liberties and we should be grateful that Canada is a sovereign state and not subject to the American (il)legal system." I removed this statement because it doesn't conform to the NPOV standards of WikiPedia. GZAdmin 15:31 UTC 04/05/06

The statement is technically incorrect, Canada is subject to the American (il)legal system because of the Mutual Legal Assistance treaty signed by Canada and the US. I share the sentiments of the author of this statement however. —Preceding unsigned comment added by 207.176.6.111 (talk) 23:12, 3 November 2007 (UTC)

I've done some editing, and at this point I think the npov issue is gone. I'm removing the template.--76.81.180.3 (talk) 18:49, 17 November 2007 (UTC)

finding out who sent you a hushmail.com email

Is this possible? Can you find out who sent you a hushmail email? Or trace their IP address?—The preceding unsigned comment was added by Terryboo (talk • contribs).

No, Hushmail removes the ip address of the sender. 62.163.3.75 13:37, 17 July 2007 (UTC)

Hushmail removes the ip address of the sender from the email itself ... that doesn't mean that they cannot determine the ip address of a sender and relay that information to the american authorities. So for the average joe... he wouldn't be able to determine the ip address...but in essence the americans could. —Preceding unsigned comment added by 207.176.6.111 (talk) 23:08, 3 November 2007 (UTC)

After 180 days in the U.S., email messages lose their status as a protected communication

After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.Nunamiut (talk) 18:05, 17 May 2009 (UTC)

Article states that servers located in Canada plus Ireland, USA, and Anguilla

I'm using the "Flag Fox" plugin and it is showing the hushmail server that I connected to as being located in UK (mailserver1.hushmail.com). That part of the article may need to be updated. Nevart (talk) —Preceding undated comment added 10:58, 9 July 2010 (UTC).

A service outage today revealed that they are a client of CloudFlare hosting. A CloudFlare banner appears at the top of the page saying that it's delivering a cached copy of the website. ( as of 1:40 am December 11, 2015 UTC) 134.129.121.168 (talk) 00:56, 11 December 2015 (UTC)

RfC concerning the Lavabit email service

There is a request for comments (RfC) that may be of interest. The RfC is at

Talk:Lavabit#RfC: Should information about Lavabit complying with previous search warrants be included?

At issue is whether we should delete or keep the following text in the Lavabit article:

Before the Snowden incident, Lavabit had complied with previous search warrants. For example, on June 10, 2013, a search warrant was executed against Lavabit user Joey006@lavabit.com for alleged possession of child pornography.

Your input on this question would be very much welcome. --Guy Macon (talk) 04:42, 29 August 2013 (UTC)

No 'free' accounts any more?

Is it just me, or there is no 'free' 25Mb accounts available any more? I tried to register a new one recently and there is only paid 1Gb and 10Gb options given as account type. Couldn't find anything useful on their website - there are still links and terms of service for 'free' that lead to the same 'non-free' sign up page. Did I miss something? Are there any hidden restrictions on 'free' accounts or something? — 94.179.71.29 (talk) 14:16, 23 October 2013 (UTC)

I'm pretty sure it was still available but hidden back then. But now it does appear to be completely gone. I've tagged the article with an update tag. I'd fix it, but I'm not finding any third party sources. — trlkly 07:32, 21 February 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 4 external links on Hushmail. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive https://web.archive.org/web/20120616181615/http://www.hushmail.com/services/hushmail/features/ to http://www.hushmail.com/services/hushmail/features/
• Added archive https://web.archive.org/web/20071110164408/http://blog.wired.com/27bstroke6/hushmail-privacy.html to http://blog.wired.com/27bstroke6/hushmail-privacy.html
• Added archive https://web.archive.org/web/20080724042801/http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf to http://static.bakersfield.com/smedia/2007/09/25/15/steroids.source.prod_affiliate.25.pdf
• Added archive https://web.archive.org/web/20071122180245/http://www.hushmail.com/about-security to http://www.hushmail.com/about-security

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 03:58, 9 November 2017 (UTC)