At 4:51 PM +0000 5/31/15, [EMAIL PROTECTED] wrote:
>
>Maybe you could make your own local html page and download the applet
>JAR file once and for all, then refer to that when you wanted to use hushmail.
>Or better still, build the applet file yourself, if they supply the
>source. I'm not
>sure if the Java rules would allow a local applet loaded by a browser to do
>internet access, though.
>...
The applet source is available from the HushMail site. I am not aware of
any additional restrictions on a local applet or any way for HushMail to
tell the difference. On the contrary, you could convert their source to a
Java application and then be free of all Java "sandbox" restrictions. You
would have to keep up with future changes HushMail makes in the applet tho.
The source code (1.03) confirms that HushMail does not use salt before
hashing the passphrase. That is a serious weakness, as we have been
discussing. Users can compensate by choosing a longer passphrase or by
appending a unique non-secret value, e.g. their phone number or hushmail
user name, to their pasphrase. The latter approach still means more typing,
but not more memorizing.
HushMail should fix this, perhaps by appending the user name to the
passphrase automatically. This would eliminate the need to store the salt
in their database. For backwards compatibility, the applet could simply try
both ways (with and without an appended user name).
Arnold Reinhold
