I think Hushmail are pretty up front about being no protection if the person who wants access has a court order. I would not go so far as to say 'snake oil'.
From wikipedia:
"The issue originally revolved around the use of the non-Java version of the Hush system. It performed the encrypt and decrypt steps on Hush's servers and then used SSL to transmit the data to the user. The data is available as cleartext during this small window; additionally the passphrase can be captured at this point. This facilitates the decryption of all stored messages and future messages using this passphrase."
"Hushmail has stated that the Java version is also vulnerable in that they may be compelled to deliver a compromised java applet to a user.[5][7]"
In [7] "Brian" working for hushmail responds to a wired journalist agreeing that the applet was an attack vector and Brian even points to a schneier.com article stating the same[2].
He did weasel around a bit about "viewing applet/HTML source" which he admits is no use for determining the validity of the applet as it is compiled.
"I think Hushmail are pretty up front about being no protection if the person who wants access has a court order"
It is not just about having a court order. The court order is not some kind of secret key that decrypts messages, it is just a way to compel Hushmail to decrypt those messages. Pointing a gun at a sysadmin would work just as well. Paying a sysadmin would also work. Getting a spy to work for Hushmail would also work.
Let's say you are trying to protect the names of activists in China. There is no reason to think that the Chinese government could not find a sympathetic Chinese immigrant / national with an IT background who is willing to pass on some messages every so often. You can imagine other scenarios -- maybe you have highly valuable business secrets, maybe you are running a political campaign, etc.
Snake oil is the right term for Hushmail, because that is what they deliver. The only term that is more polite than snake oil is "key escrow," but why should we be polite here?
From wikipedia: "The issue originally revolved around the use of the non-Java version of the Hush system. It performed the encrypt and decrypt steps on Hush's servers and then used SSL to transmit the data to the user. The data is available as cleartext during this small window; additionally the passphrase can be captured at this point. This facilitates the decryption of all stored messages and future messages using this passphrase."
"Hushmail has stated that the Java version is also vulnerable in that they may be compelled to deliver a compromised java applet to a user.[5][7]"
In [7] "Brian" working for hushmail responds to a wired journalist agreeing that the applet was an attack vector and Brian even points to a schneier.com article stating the same[2]. He did weasel around a bit about "viewing applet/HTML source" which he admits is no use for determining the validity of the applet as it is compiled.
[1] https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_...
[2] https://www.schneier.com/essay-191.html
[5] http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.htm...
[7] http://web.archive.org/web/20071019225245/http://blog.wired....