Hushmail Exposed? Updated

Cryptome DVDs are offered by Cryptome. Donate $25 for two DVDs of the Cryptome 12-years collection of 46,000 files from June 1996 to June 2008 (~6.7 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. The collection includes all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org, and 23,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985.The DVDs will be sent anywhere worldwide without extra cost.

3 August 2008

Date: Sun, 03 Aug 2008 09:04:38 -0700
Subject: CRYPTOME: Response to hushmail-pry.htm
From: "S Brian Smith" <sbs[at]hushmail.com>

Hello,

This post is in error:

http://cryptome.org/hushmail-pry.htm

The post refers to the wrong file for the comparison.  The check 
should have been done against this file:

applets/HushEncryptionEngine.jar

That is the file actually used on the website.  It is processed 
with Proguard to reduce the download size, and has no debug 
information.  If you checksum that file, the checksum will match 
the file on the website.

The file mentioned in the post, HushEncryptionEngine_3-0-0-30.jar, 
contains debugging information and is not processed by Proguard.  
Therefore it does not match the file for download on the website.

Regards,
Brian Smith
Hush Communications

__________

Date: Sun, 3 Aug 2008 18:40:48 +0200
From: "Rafal Kwasny" <mag[at]entropy.be>
Subject: Cyptome. Hushmail Applet

I recently saw info about hushmail http://cryptome.org/hushmail-pry.htm.
However author compared wrong files, hushmail applet is available in
/applets/ directory within .zip file 

https://www.hushmail.com/downloads/HushEncryptionEngine_3-0-0-30.zip

and it is the same file as serverd via WWW.

2 August 2008

A sends:

Hushmail exposed?

Some people started to ask me questions
like: "Is Hushmail still safe?", and I wanted to
investigate this further... and I found it:

Hush provides full source code for review of
their HEE (Hush Encryption Engine) in:

https://www.hushmail.com/help-downloads

(Direct Download)

https://www.hushmail.com/downloads/HushEncryptionEngine_3-0-0-30.zip

within this file (HushEncryptionEngine_3-0-0-30.zip) 	
there is a file called "HushEncryptionEngine_3-0-0-30.jar".

"HushEncryptionEngine" is the Java executable responsible
for the process of encryption of messages in Hushmail
(Java enabled version). The hash of this file is:

0e6efd6b236cbb2a73049a65d6d9c5e23ac3d25b (SHA-1 Hash)

But this isn't the same file avaiable by Hushmail in their
servers:

https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

https://www.hushtools.com/shared/HushEncryptionEngine.jar

The hash of this version is:

09e56f59a8392522543af1a1a95cb80729aa62c6 (SHA-1 Hash)

and the file definitely isn't the same avaiable in the file
"HushEncryptionEngine_3-0-0-30.zip" (but it should be).

You can confirm this opening the mentioned files
with a tool like 7-Zip or WinZip.

Again:

The hash from the original version included
with the source code released by Hush:

0e6efd6b236cbb2a73049a65d6d9c5e23ac3d25b (SHA-1 Hash)

And the hash from the version available
in Hushmail website:

https://mailserver1.hushmail.com/shared/HushEncryptionEngine.jar

and

https://www.hushtools.com/shared/HushEncryptionEngine.jar

is:

09e56f59a8392522543af1a1a95cb80729aa62c6 (SHA-1 Hash)

Cryptome readers may draw the conclusions by themselves.