Hushmail Review 2019

Hushmail is a secure email provider owned by Hush Communications Ltd, which is based in Vancouver, Canada. However, that firm is a subsidiary of Hush Communications Corporation, a firm based in Delaware, USA. The email provider was launched back in 1999, and since then it has become a popular service for consumers seeking to send secure encrypted emails.

While Hushmail has a good reputation for providing secure email functionality, being based in Canada is far from ideal. This is because the nation is a part of the FIVE EYES and has numerous laws that infringe on people’s privacy - including Bill C-11 which forces ISPs to perform mandatory data retention. Its connections to its US-based parent company also raises questions over the possibility of warrants and gag orders being used to extract data back to the US from its international servers.

In addition, Hushmail is a closed source proprietary application, which means that although the PGP encryption it leverages to provide secure emails has been audited - Hushmail’s software has not. Depending on your threat model, these factors may put some people off the service.

How much does Hushmail cost?

Hushmail provides a free trial that allows users to get a feel for its services without having to spend a dime. For free, users get 15 Mb of storage and one email address. 

Premium costs $49.98 and allows people to use an unlimited amount of aliases and 10 Gb of storage. The service also comes with a secure forms feature.

Hushmail Premium fee

For anybody who requires the use of a custom domain: you will need to fork out for the more expensive “business” account. This costs $5.99 per month ($71.88 per year), per user. 

Features

Compared to many email providers, Hushmail is a little thin on the ground in terms of features. If you are migrating over from Google, the loss of a calendar, storage (via drive), and spreadsheets may come as a shock. However, if you only need secure email services, Hushmail might suffice. 

It is also worth noting that if you want  Below are the full set of features available on premium:

  • 10 GB storage
  • Unlimited aliases
  • IMAP, POP support
  • Import contacts via CSV
  • Spam/Junk folder
  • OpenPGP encryption
  • Two-step verification (SMS, email, or app)
  • Secure forms feature
  • iPhone compatible

Privacy

Following Microsoft’s loss in the Microsoft Corp. vs. United States case, the US supreme court found that US corporations have a duty to extract data from their international servers when served a warrant by the US authorities. For Hushmail which is a subsidiary of a US firm, this raises privacy concerns over the possibility of gag orders. 

Those concerns are in addition to the fact that Hushmail is based in Canada, which is known to cooperate with fellow FIVE EYES nations to perform surveillance. All in all, this puts something of a question mark over the privacy that you might gain when using Hushmail - especially considering the closed source nature of the platform. 

What’s more, in order to open a Hushmail account you do need to agree to some processing of personal data. The firm also informs users that they will comply with the authorities if they are served a legitimate warrant to do so. It is worth noting at this point that there are no logs email providers on the market that allow you to sign up without handing over personal details or an email address. 

Hushmail create account

Hushmail’s data collection of personal information is detailed in its privacy policy as follows:

“As part of the account creation process your IP address will be recorded. We may request that you provide other information, such as a phone number, as well. We use this information to analyze market trends, gather broad demographic information, and to prevent abuse of our services. We will not share this information with third-parties.”

In addition, the firm warns users that if they decide to purchase a subscription the following data will be required for processing:

“Name, the account you are upgrading, the domain you wish to use for your email, alternate email address, your billing address, and your credit card information. Additionally, we will record the IP address from where the payment is made. When we process your payment transaction, this payment information will be transmitted to our payment processor. We use third-party PCI compliant services to process your payment transaction. When we process your payment, we share your IP address, city, country, and postal code with a third – party anti-fraud service to determine the likelihood of the purchase being a fraudulent transaction. We do not store your credit card number on our servers.”

What’s more, Hushmail explains that it will collect data from you as and when you sign into and use its service:

“Information we record may include your IP address, your browser type, browser language, date and time of the action, account usernames, sender and recipient email addresses, filenames of attachments, subjects of emails, URLs in the bodies of unencrypted email, and any other information that we deem necessary to record for the purposes of maintaining the system and preventing abuse.”

As you can see the firm collects and retains all email metadata, presumably so that it can comply with warrants and requests from law enforcement if it is presented with them. So, is there any evidence of Hushmail passing data to the authorities?

For starters, Hushmail does not provide a transparency report, or have a Warrant Canary, like so many of its competitors. This is a shame because it means it is impossible for consumers to understand the number of requests for data it is receiving and complying with. However, with just a little research it is possible to find evidence of Hushmail spilling information to Canadian authorities.

In 2007, Hushmail handed over 12 CDs worth of emails relating to three Hushmail accounts. According to sources from the case, Hushmail provided clear text versions of encrypted emails it should not have been able to access due to End to End Encryption. That data was passed to the US Feds, following a court order obtained via the mutual assistance treaty between the U.S. and Canada (FVEY).  The case is extremely concerning and casts serious doubts over the service and the possibility of it having a backdoor. 

Following the case, the CTO of Hushmail also admitted that intelligence agencies were able to break into encrypted emails of targeted accounts via vulnerabilities in the Javascript browser application. 

To be fair on Hushmail, this is a problem for all browser-based encryption that is executed with Javascript.  For this reason, anybody who wants to send and receive PGP encrypted emails securely without the possibility of a man-in-the-middle attack that can force compromised encryption keys onto both the sender and recipient’s browsers - will need to opt for using an email service with a dedicated client. (Hushmail can be used in this way; if you trust it.)

On the other hand, the frank admission that this Java exploit is actually being exploited on Hushmail users goes quite a bit further than simply saying that it is possible in theory, and it is a sharp reminder of the fact that it is very hard to trust US services that claim to provide privacy. 

Finally, we hated that we had to provide a phone number at the subscription stage in order to receive an SMS verification code. Having to provide your old email and a phone number is too invasive for us.

Security

Hushmail implements encryption for both sending and storing emails on its servers. However, any email sent unencrypted is stored on Husmail’s servers unencrypted also which means that they could be compromised if the firm is served a warrant. This is a shame because there is absolutely no reason why Hushmail couldn’t encrypt all emails that are at rest; including those that were sent unencrypted.

When users send emails using Hushmail, their real IP address is scrubber from the header and is replaced with an IP address belonging to Hushmail. This is good for security because the recipient will never see the senders real IP address. However, it is worth noting that Hushmail always records your IP address when you log into its services; so that data is being recorded and could make it into the authorities hands at a later date.

Although Hushmail uses proprietary closed source software, it does implement fully audited OpenPGP standards for email encryption. The firm also implements Transport Layer Security (TLS/SSL) encryption for all data that is communicated in transit to its servers. For added security, the firm implements Hushmail uses Forward Secrecy, HTTP Strict Transport Security and Certificate Pinning. SSL/TLS encryption is also used when the firm transmits email between servers. This security should allow stop Man-in-the-Middle attacks from taking place. 

Where the PGP encryption is concerned, Hushmail ensures that the main body and attachments contained within emails are protected with OpenPGP encryption. OpenPGP encryption is available through Hushmail’s webmail service and within its iPhone app. It is also available when accessing Hushmail over IMAP or POP3.

As is the case with Tutantoa, Hushmail has a feature that allows users to send encrypted emails to users who do not have Hushmail (or another PGP compatible email account). When sending an encrypted email to a non-Hushmail user, the encrypted email is stored on Hushmail servers and the recipient is sent a link to access that email which can be decrypted via a question and answer system that the recipient must know the answer for. 

That system is generally considered safe. However, it does mean you have to trust Hushmail, which might leave some consumers feeling cold. You will need to make that judgment call yourself depending on your threat model. 

For logging into an account, hushmail suggests that users enter a passphrase. The firm states that those passphrases are never stored on its servers. Instead, they are turned into a hashed value from which the passphrase can never be derived. 

If users want to, they also setup two-factor authentication on their account. This allows them to receive a code via a secondary email account, via SMS, or using an authentication app.  Hushmail provides another security measure by locking accounts if too many attempts to access an account are made within a short period of time, this protects accounts against brute force attempts. 

On the whole, security and encryption on the Hushmail service appear to be good. Though admittedly, we have seen even better implementations that include Perfect Forward Secrecy and other security measures such as HSTS, CAA, CSP, MTA-STS and X-XSS.

Ease of Use

Getting a Hushmail account is as easy as going to its website and setting up the free email option. Annoyingly, however, you must enter a previous email and a phone number in order to register and get the SMS activation code. This is extremely invasive. With the SMS code entered you are given access to your email account.

Hushmail webmail trial

Free users get 25 Mb of storage on the single email address that they set up.

Upgrading to a premium subscription provides users with an unlimited amount of aliases, pseudonyms, and temporary email addresses. In addition, users get 10 Gb of data storage. The premium version also allows subscribers to set up two secure web forms using its drag-and-drop form builder

Unlike many cheaper secure email providers on the market, you do not get any cool extras such as a calendar, storage (drive), webchat, spreadsheets, etc. However, you do get an all-important contacts section which is located in the hamburger menu in the top right of the web-based interface. And, unlike with some email providers , it is extremely easy to see how you import your contacts from your previous email account via CSV format (vCard is not available).

Hushmail import contacts

Due to its lack of features, it can be said that there is not much of a learning curve with this email provider. Unless, of course, you are unfamiliar with handling PGP keys; and then you will need to either do your own research or use Hushmail’s useful Help center (FAQ). 

To send an email to a non-Hushmail user via PGP, the recipient will need to upload their public key to Hushmail’s servers. There is a guide for getting this done in the FAQ. 

IMAP and PoP are available to synch across devices, and they are available for both iOS and Android. Guides are also provided for using those useful features.

For those who want to, IMAP can be used to set up Hushmail to work with a standalone client such as Outlook, MacMail, or Mozilla Thunderbird. And, this will improve the security of the platform when compared to using the browser-based webmail system (and its inherent JavaScript vulnerabilities). 

We also like that free users are automatically given a 14 day free trial of premium, which is what I used to test the email provider in this review. 

Perhaps the biggest drawback of the free service is that accounts which remain dormant for more than three weeks are automatically deleted. This is bound to be frustrating if you happen to go traveling for an extended time and come back to find that your account is closed and you have lost/missed some important emails you were expecting.

Of course, the simple answer to this problem is to get a subscription. Though, considering the privacy issues we found with this service (and the relatively high price) we would generally recommend purchasing a subscription elsewhere.

Customer support

In addition to its useful FAQ help center - which comes with various guides and articles - both free and Premium users are able to ask for support via email. 

No ticket system exists, so you will need to be patient and wait for a response. Customer support is only available during US Pacific time business hours. In addition to the email support, users are able to get phone support (only available to Premium subscribers).

Overall, support on the platform is adequate, and we were never left waiting for a response for more than a day. However, considering the high price (compared to other services) it is a shame that Hushmail does not have a live chat feature on its website. 

Conclusion

Overall, we found this email provider’s web-based software easy to use and easy to synchronize across devices. And, while it could be considered a good option for beginners  (in terms of ease of use) it can be considered expensive compared to other, more reputable email providers. Its lack of features may also put many consumers off, considering what is available with Mailfence, Posteo, and many other providers. 

A previous case in which Hushmail provided clear text copies of emails to the authorities is extremely concerning and may mean that Hushmail’s closed source applications are backdoored. The lack of features may also put some people off. 

To conclude, we would recommend looking elsewhere. This email provider’s home base in Canada and its US parent company leave too many question marks surrounding privacy and security. 

Finally, because it is possible to get a better email account for less than half the price - we would recommend shopping around for an alternative service.

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. Ray is currently rated #4 VPN and #3 internet privacy authority by Agilience.com.

0 Comments

There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives: