Uh, I guess. Why bother using javascript at all if you need some non-javascript tool to verify it everytime you use it? Might as well just use GPG along with any existing mail service.
One thought is that you can get PGP functionality from a portable service. If you brought the javascript with you on a USB drive, you could use it from computers that were not your own.
Of course you could also install Thunderbird portable on your USB drive and implement your suggestion as well.
Lots of reasons. If encryption is ever to become widespread, it needs to accomodate the myriad of situations that users might need computing/communication in. Which is a lot.
I've seen this implemented (in a very special case) with statically-linked GPG on a USB drive and a Crypto Stick[1]. Better than JavaScript (because you don't need to rely on an untrustworthy interpreter), and the keys never leave the smart card. The big limitation is that you need admin access to the system if you need to install drivers for the smart card.
Hushmail was always a strange operation to me anyway. If you need data at rest encrypted, why trust a third party with the keys? If you need anonymity, why would you want a key identifying your unique persona?
For the same reason that people choose Facebook web hosting over their own privacy protected servers. They are not tech savvy and know little to nothing about security. They don't even know what keys are. 10 years ago, they just knew that Hushmail offered encrypted email. It was the first service anybody heard of that did that. The non-tech savvy crowd is the niche that services like Hushmail exploit.
You could say that about a lot of cloud based products... Think of the information in gmail or salesforce.com. The value those tools provide and the flexibility vs the risk of them improperly using your data and the cost of running them yourself (likely running them improperly too.). That's the cloud.
What is more interesting is what the EULA said about this sort of thing and if they hand data over without notification to the owner. I suspect that they did.
The whole point of Hushmail is that you can use PGP/GPG style mail encryption via a webmail interface. You could also do this anonymously. They claimed that it was secure because the PGP stuff was done via a Java applet. It turns out that
If you have a use case for using content signing and encryption, using a closed-source Java or other web applet is a pretty weird way to address it.
14 comments
[ 2.9 ms ] story [ 42.2 ms ] threadOf course you could also install Thunderbird portable on your USB drive and implement your suggestion as well.
Lots of reasons. If encryption is ever to become widespread, it needs to accomodate the myriad of situations that users might need computing/communication in. Which is a lot.
[1] http://www.crypto-stick.com/
For the same reason that people choose Facebook web hosting over their own privacy protected servers. They are not tech savvy and know little to nothing about security. They don't even know what keys are. 10 years ago, they just knew that Hushmail offered encrypted email. It was the first service anybody heard of that did that. The non-tech savvy crowd is the niche that services like Hushmail exploit.
What is more interesting is what the EULA said about this sort of thing and if they hand data over without notification to the owner. I suspect that they did.
If you have a use case for using content signing and encryption, using a closed-source Java or other web applet is a pretty weird way to address it.
Now it's time to put pressure on Microsoft to implement two-factor authentication and native PGP support.