Review: Hushmail Simplifies Business Email Encryption

Another problem I had with the plug-in is that I had to be connected to the Internet to use it, meaning that I couldn’t compose offline encrypted messages. If your company has a lot of frequent travelers who want to compose their emails when away from a broadband connection, this could be an issue.

From the Hush web client, I was able to encrypt my messages, digitally sign them (so that recipients will know they weren’t tampered with during transmission) and request receipts. If you choose to encrypt a message to a user who isn’t listed on Hush’s key server, you will be given a choice of a question and a passphrase that will be presented to the user when he or she first gets the encrypted message. If the recipient answers the question correctly, the message will be decrypted and presented to that person. While this isn’t as secure as exchanging crypto-keys, it does protect your emails from being intercepted in transit.

The Hush service includes an optional Java applet that encrypts messages typed into the webmail interface on the client side before that content reaches the Hushmail servers. For users who don’t have Java installed or don’t wish to use it, the content is encrypted after it reaches Hush. Either way, the content travels across an SSL (Secure Sockets Layer) connection, so users still have some protection.

It is a minor point, but it does show that Hush is going the extra mile. The company seems determined to plug as many possible attack entry points as possible, and for that it should be commended.

Hush’s preferences page isn’t quite as robust as that of Gmail or some other webmail products, but there are a fair number of options to choose from. For example, you can automatically encrypt all outgoing messages, display all emails in plain text or HTML, set up automatic responses and append a footer text to all messages.

Admin features and forms

One thing lacking from Hush is that you don’t have the automatic user self-registration that other vendors such as PGP and Proofpoint offer. This means that all users need to be preregistered and set up in the system first. The other products allow users to receive encrypted emails and then register themselves.

All of the business accounts for a domain can be managed for $10 a month per domain, and include features such as usage reports, whitelist and blacklist controls, and email forwarding configurations.

One of the nice features of the business client is the ability to include secure forms to handle encrypted communications from the general public at no additional charge if they host the forms, or for $4 (£2.60) per month if you want to host the form on your own website. This makes it easier for your customers and suppliers to communicate with you and still take advantage of encrypted messages, without having to set up anything on their end.

You set everything up online with your web browser and can make any modifications to the raw HTML code. Within a few minutes, your form will be online. When a visitor to your website fills out the form, the content is emailed securely to a special inbox.