Our encrypted email provider Hushmail, has suffered from a domain name security compromise.
We are not yet convinced that there have been no Man-In-The-Middle attacks on our encrypted logins and encrypted data.
Hushmail security notice:
"Sunday April 24, 3:30 PM PSTOn April 23rd, an unauthorized party gained access to our customer account at our domain registrar.
A domain registrar is a company that is responsible for controlling which website actually gets displayed when you enter an address (such as www.hushmail.com) in your web browser. Therefore, by breaching security at our domain registrar, the unauthorized party was able to control which website would be displayed when users entered the address www.hushmail.com.
The unauthorized party altered the domain settings so that users entering www.hushmail.com in their web browser were no longer directed to our real website. Instead, users were redirected to a different website at a different location. Soon that website was shut down, and users simply received an error page.
We are following up with our domain registrar to determine how the unauthorized party was able to gain access to their system.
There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com may not have been delivered.
Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available.
Note on Non-secure and Secure Web Pages
Non-secure web pages are accessed by addresses that start with "http://". The content is not encrypted, and the page source is not verified. The lock icon in your status bar will not be displayed.
Secure web pages are accessed by addresses that start with "https://". The content is encrypted, and the page source is verified. The lock icon in your status bar will show a closed lock.
If a domain registrar directs you to the wrong website for a secure web page, the verification will fail, and your browser will display errors.
Although the front page and text content of www.hushmail.com can be accessed by either a secure or non-secure web page, sensitive pages such as the pages where you enter your passphrase, access your email, or supply credit card information are always served as secure web pages.
To guard against the danger of domain redirection, always be sure that when you enter your passphrase you are on a secure web page with the lock on your browser closed, and that the address in your address bar says "hushmail.com". If your browser displays any error messages about the "certificate" that verifies the website, do not continue.
To ensure maximum safety, use secure web pages whenever possible. If you are just browsing the Hushmail website, you can access the secure page at https://www.hushmail.com instead of the page at http://www.hushmail.com.
Sunday April 24, 12:00 AM PST
In recent hours we have been made aware that security was compromised at the domain registrar responsible for the hushmail.com domain. For a brief period, this domain was forwarded to a server belonging to an unidentified party, which resulted in our web page being unavailable or appearing defaced.
There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com will not have been delivered.
Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available"
The Zone-H website defacement mirror has a report on this incident, and an archive of the re-directed web page / defacement
"It was first noticed very early this morning, when the domain www.hushmail.com began to redirect users to a page containing the following message: "The Secret Service is watching. -Agent Leth and Clown Jeet 3k Inc". The DNS were changed to DNS1.EVONEXUS.NET DNS2.EVONEXUS.NET while hushmail are using their own servers (NS*.HUSHMAIL.COM) and the information on the whois was hijacked:Administrative Contact, Technical Contact:
Smith, Brian clownowns@yahoo.com
Hush Communications
Maybe the attacker got somehow this contact's password, whose email address was admn@HUSHMAIL.COM (according to the data on the whois of hush.com) and modified the data of the domain on the Network Solutions web site, their registry.
On sunday 4am GMT the page was removed, probably by burst.net, which was hosting it, the emails sent to the hushmail.com users were bounced back to the sender at the time of writing."
Did the attacker exploit the obsolete SSL version 2 protocol which the Network Solutions webserver still forces you to use 9rather than the more recent SSL ver 3 or TLS ver 1.0 protocols ?
http://www.spy.org.uk/spyblog/archives/2004/12/are_your_credit.html
SSLv2 is vulnerable to a cyrptographic strength downgrade attack (i.e. downgrading you to weak 40bit encryption when you were expecting to connect with strong 128bit encryption) and a stream interruption attack, both of which were fixed back in 1996 with SSL version 3.