Home»Support» Frequently Asked Questions

Frequently Asked Questions

Getting started

Account and subscription Information

Policy on illegal activity

Spam & phishing

Hushmail & privacy

Hushmail

Technical questions

Getting started

What is encryption?

Encryption is a method of scrambling information in such a way that it can only be read by the intended recipient. Much of the data on the Internet, including normal email, is not encrypted.

What is Hushmail?

Hushmail is the world’s first fully encrypted, free web-based email service. Hush’s state-of-the-art technology keeps our users’ online communications private. Free and easy to use, Hushmail works similarly to other Web-based email providers, except Hushmail offers the security of 2,048-bit encryption between Hushmail users. With Hushmail, users can access their address from any computer that has an internet connection and a web browser.

Want more information?

Where can I get help using Hushmail?

Information on using Hushmail is available in our help documentation.

Account / subscription Information

Can I change my username?

The only way to change your username is to register for another Hushmail address.

Where can I find information about my subscription(s)?

Subscription information and payment history can be found on our billing page.

How do I renew/extend my subscription(s)?

Hushmail Premium subscriptions are automatically renewed on a yearly basis.  To add new subscriptions or extend your existing ones, please use the upgrade form.  If you’re a Hushmail Business customer, please contact us.

Account deactivation/cancellation

All initial billing inquiries should be submitted using the contact form.  Free accounts will be deactivated after 3 weeks of inactivity.  After an account has been deactivated for one year, it will be completely deleted.  In some situations, newly created accounts may also be deactivated or deleted if they are not accessed within a few hours of account creation, as this is often a sign of abuse by spammers.  Accounts will also immediately be deactivated for involvement in illegal activity.

Policy on illegal activity

What is Hushmail’s policy on illegal activity?

Hush Communications has a zero-tolerance policy on the use of its services for illegal activity. Any account involved in illegal activities, including any of the following, will be immediately and permanently deactivated:

  • Purchase or sale of substances that are illegal in many jurisdictions. This includes steroids, hormones, narcotics, marijuana and marijuana seeds. This also includes any purchase of prescription drugs not intended for individual use with a prescription.
  • Purchase or sale of stolen goods.
  • Making threats to person or property.
  • Possession or distribution of child pornography.
  • Fraud.

Also see our Terms of Service.

Spam & phishing

How can I deal with spam being sent to my Hushmail address?

All Hushmail accounts have a number of Spam Control tools available to deal with spam. To get started, click on the Spam Control button in your account. Learn more.

Where can I report spam which appears to originate from a Hushmail address?

Hush has a zero-tolerance policy towards spam. Any spamming activity should be reported to Hush immediately. Full headers are required to verify that the spam originated from Hushmail, and without them, we will not be able to take action. All abuse complaints should be submitted using the contact form.

Will you ever ask me for my passphrase?

No staff member from Hush Communications will ever ask you for your passphrase. If you receive  an email asking for this or any other confidential information, delete it immediately and do not respond to it.

Learn more about phishing on Wikipedia.

An example of a phishing email pretending to be from Hush Communications:

Dear Account User
This Email is from hushmail Customer Care and we are sending it to every
hushmail Email User Accounts Owner for safety. we are having congestions
due to the anonymous registration of hushmail accounts so we are shutting
down some hushmail accounts and your account was among those to be deleted.
We are sending you this email so that you can verify and let us know if
you still want to use this account.If you are still interested please
confirm your account by filling the space below. Your User name,password,
date of birth and your country information would be needed to verify
your account.

Hushmail & privacy

Who owns Hushmail?

Hush Communications is a privately held Delaware corporation. Its headquarters and operations are located in Vancouver, Canada, with offices in Dublin, Ireland, and Anguilla, British West Indies.

Hush Communications is not and has never been affiliated with, nor owned by, any Government.

What personal information is required information to sign up?

While we don’t ask for any personal information when you sign up for a free Hushmail account, some will be required if you choose to purchase services by credit card.  Privacy is our business! Accordingly, personal data or individual account data is never shared or sold with third-party businesses. For more information, please refer to the Hushmail Privacy Policy.

How can I be sure that intruders or hackers cannot break into my email?

Learn about the ways Hushmail can protect your security.

Does Hushmail have a cryptographic “back door” so that people with a special key can decrypt any message?

There is no cryptographic “back door” that provides master key access to Hushmail email. We can’t just pick an arbitrary encrypted email message off the server and read it. Your encrypted email cannot be decrypted without your own secret passphrase and private key.

However, that doesn’t mean that Hushmail users are exempt from the legal process. Learn more.

Also see:

What if Hush receives a court order to release the contents of my account?

Read our policy regarding court orders.

Does Hushmail use Google Analytics?

We use Google Analytics to help us understand how people are using our website. This helps us to offer more useful content and to better organize the information on our website.

We do not use Google Analytics in the Hushmail webmail application or on any web pages that reveal private information about your account, such as your email messages or your passphrase.

If you are concerned about the privacy implications of this service, feel free to contact us, or disable Google Analytics in your browser. If you’re using Firefox, you can disable Google Analytics by installing the CustomizeGoogle add-on (on the Privacy tab in the CustomizeGoogle Preferences window).

Hushmail

Can I send email to anyone using Hushmail?

Yes. Hushmail functions just like a regular web email account.

Can I send encrypted email to anyone using Hushmail?

Yes. Sending encrypted email is easiest between two Hushmail users. When email is sent between two Hushmail users, the encryption is seamless and exactly like regular email use.

If you send email from a Hushmail account to a regular email account, you can still send it encrypted. To do this you must specify a question which the recipient will have to answer in order to read the email. The recipient will then receive a link to a web page. Then, by answering the question, the recipient will be able to read your email.

You don’t have to send your email encrypted. If you have something to say that’s not private, you can easily turn off encryption and send a normal email to any email account.

For more information on sending encrypted email, see our help documentation

How much email can I store? Can I pay for more storage?

Free Hushmail accounts receive 2 MB of storage space and can upgrade to Hushmail Premium for 1 GB or 10 GB of storage space plus other premium features.  To upgrade your account with one of our affiliate domains such as  Cyber-Rights, please visit their website.

Is there a size restriction on the attachments I send/receive?

Messages that you receive are limited to 25 megabytes in size for all users, including all attachments associated with the message. Users can send attachments of up to 15 megabytes.

How does Hushmail transfer attachments? Is the process secure?

Attachments sent between Hushmail users are encrypted and transferred in exactly the same way as normal text messages. The attachment is fully encrypted and is secure between Hushmail users.

For information on sending attachments in Hushmail, see our help documentation.

Does Hushmail offer digital signatures?

Yes, Hushmail offers its users the ability to digitally sign messages. This feature allows Hushmail users to verify with mathematical certainty that the message received originated from the account listed in the address line of their inboxes. Hence, a digital signature lets the recipients of the message know exactly who has sent a particular message.

For information on how to sign a message in Hushmail, see our help documentation.

Can I sign messages that I send to non-Hushmail users?

Yes, Hushmail users can send digitally signed messages to any email address.

To verify these messages, non-Hushmail users can:

  1. Visit Hushtools at: https://www.hushtools.com/verify
  2. Copy and paste the entire message into the form.
  3. Click Verify text and wait for a confirmation message to be displayed.

This will assure non-Hushmail users that the message originated from the true owner of the indicated Hushmail address, and that the message contents have not been altered in transit.

Can I be alerted at another email address whenever I receive email in my Hushmail account?

Yes. For more information, see our help documentation.

Technical questions

How many servers does my mail go through as it crosses the Internet?

To see the pathway of your sent email, open an MS-DOS client while connected to the Internet and type:

tracert computer.name[ENTER]

computer.name represents the address that appears after the “@” symbol of the address being sent a message. A list of every machine the message is routed through will appear. Each of these machines and every machine on the same local network of any of the machines listed have access to the message. If a network has hundreds of machines on it, the message is that much more susceptible or vulnerable to unauthorized review or storage. Ultimately, this exercise displays the number of routers involved in transporting a message from a Hush user’s computer to the Hush servers.

What role does Java™ play in the Hushmail solution?

Hushmail can be used with or without Java. If you use Hushmail with Java, many sensitive encryption operations that would otherwise be performed on our server can be performed on your local computer. If Java is installed on your computer, you can use it to add an extra layer of security to Hushmail. For a comparison of Hushmail use with and without Java, see our help documentation.

What is OpenPGP, and how is it involved in the Hushmail solution?

OpenPGP is a protocol for encrypting email using public key cryptography. It is based on PGP as originally developed by Phil Zimmermann. The OpenPGP protocol defines standard formats for encrypted messages, signatures, private keys, and certificates for exchanging public keys. Over the past decade, PGP, and later OpenPGP, has become the standard for nearly all of the world’s encrypted email. By becoming an IETF standard RFC2440, OpenPGP may be implemented by any company without payment of any licensing fees. Hushmail version 2.x is OpenPGP compliant. This compliance with the OpenPGP standard makes Hushmail accessible to more email users than ever before, thus ensuring that it continues to be the #1 choice in secure email systems.

What is AES, and how is it involved in the Hushmail solution?

Hush uses industry standard algorithms as specified by the OpenPGP standard (RFC2440) to ensure the security, privacy and authenticity of your email. AES (Advanced Encryption Standard)
is a type of 128-bit symmetric block cipher. When combined mathematically with a Hush passphrase, the AES algorithm encrypts the private keys of Hush users. This occurs before the key is stored
on Hushmail’s very secure key server. The only thing that can decrypt the private key is a Hush passphrase combined with the AES algorithm.

How can it be proved that the encryption used by Hushmail is actually secure?

Hush is proud of its reputation for security and has had a lot of positive feedback from industry, experts and users. The Java source code for the Hush Encrytion Engine is available to everyone, free of charge. Security experts and computer enthusiasts worldwide have the unrestricted ability to test the strength of the Hush cryptographic system. The source code can be reviewed and downloaded from our downloads page.

How can I be sure the website I access and the Java applet I
download are really from Hushmail?

The connection to our website and the Java applet that you download if using Java are confirmed by digital signature using a certificate owned by Hush Communications. When you access our
website using a URL beginning with “https://” your browser will automatically confirm this. When you download the Hush Encryption Engine Java applet when using Hushmail with Java, you will be prompted to accept a certificate from Hush Communications. Your web browser is able to confirm that only Hush Communications could have produced the digital signatures.

If you get any certificate warnings when accessing Hushmail, do not continue. Someone may be attempting to intercept your communications. In addition, if you believe that someone may have
tampered with your web browser, you can not be certain that the site you are accessing is really from Hushmail.

Does Hush have access to my passphrase?

Your passphrase is not stored on the Hushmail servers. A special hashed value is stored for authentication. The original passphrase cannot be determined from that hashed value.

Your passphrase must be used to decrypt your private keys. If you are using Java, your private keys are decrypted with your passphrase inside your browser, and your passphrase is never sent to our servers. If you are not using Java, your passphrase is sent to one of our secure servers over an encrypted connection where it is used to decrypt your private key before being discarded. Your passphrase is not stored on our servers.

For more information on the differences between using Hushmail with or without Java, see our  help documentation.

Please note that we may be required to store a passphrase for an account specifically named in a court order issued by the Supreme Court of British Columbia. Please see our policy on court orders.

Does Hush have access to my private keys?

When your private keys are stored on the Hushmail servers, they are encrypted with your passphrase. They are only decrypted when they have to be used. If you are using Java, your private keys are
decrypted and used inside your browser. If you are not using Java, your private keys are decrypted on one of our secure server, used during your email session, and then discarded.

For more information on the differences between using Hushmail with or without Java, see our help documentation.

Can the recipient of an email sent from Hush see my IP address?

No, Hushmail does not include your local IP address in outgoing email.

Does Hush log IP addresses of website visitors or account holders?

Hushmail.com does log IP addresses to analyze market trends, gather broad demographic information, and prevent abuse of our services.

I can’t ping or “traceroute” to the Hushmail servers; does this mean there is a problem?

Ping and Traceroute are network diagnostic tools that enable system administrators to determine the availability and network routing to hosts across the Internet. These tools can also be used maliciously, to disrupt the normal functions of hosts and networks, and therefore are not appropriate for use on Hushmail servers. Attempts to reach the Hushmail network using ping or traceroute will fail, but this is normal and does not indicate any disruption in service.

Can Hushmail protect against keystroke recording?

Hush cannot protect the user against this kind of security threat as our system is designed to ensure secure transmission of data between computers only. If a Hushmail user’s private computer has been compromised or if they are accessing their Hushmail account from the workplace where keystroke recording software is installed, their Hushmail passphrase may be accessed by a third party.

To combat keystroke recording software, we suggest you:

  • Change your Hushmail passphrase regularly
  • Choose a secure passphrase
  • Update your virus checking software regularly
  • Send sensitive communications through your private/home computer

Hushmail uses JavaScript, and I’m worried that there could be security problems with JavaScript. Is the use of JavaScript in Hushmail safe?

JavaScript is very secure if used properly. For one thing, Hushmail doesn’t allow any JavaScript from external sources, such as emails, to ever be executed. Other concerns are resolved by the Same Origin Policy which is implemented by all browsers to ensure that any piece of JavaScript can only access documents that came from the same domain, and via the same protocol, as it did.