On 2/14/2013 4:42 AM, adrelanos wrote:
That concept of "feds" forcing Hushmail send targeted users a modified Java applet, (that does the encrypting on client side), so their pass phrase could be captured, is discussed here:Moritz Bartl:On 13.02.2013 22:47, Joe Btfsplk wrote:I suppose even providers offering encryption of files while on their server (like Lavabit), could read the mail just before it was encrypted / decrypted, since they are doing the encrypting.Even if they encrypt maildirs on their servers and unlock only while you are logged in, they can sniff your login/encryption password and poof. That's what Hushmail was forced to do on request by law enforcement.What if Hushmail (or any other mail provider) had recommended the user to install a browser add-on to do encryption locally? Could they get forced to convince the user to install a malicious browser add on, on request by law enforcement?
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
But can the feds force Hushmail to modify the Java applet sent to a particular user,I don't know if Hushmail still offers a method to encrypt email locally, before sent to Hushmail servers. But for any that do offer such a feature, it's possible w/ a court order, or something such as a National Security Letter - NSL https://en.wikipedia.org/wiki/National_security_letter - they could be forced / coerced into doing something like that. That wouldn't affect majority of users, who aren't direct targets of investigation.
That said, BEFORE the Patriot Act in U.S. (& now similar acts / laws in other countries), no one would've dreamed it would be so easy for LEAs to get "private" email - even encrypted ones. So what's next? Interesting fact: I've read documented correspondence (issued by an ISP) that ISPs & probably email providers, get paid QUITE a bit, to gather & turn over data requested in NSLs & maybe ? for other LEA requests. We're not just talking chump change. Big providers get LOTS of requests to turn over data each yr.
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk