End-to-end email encryption. What is it and how does it work?

What is end-to-end email encryption?

End-to-end email encryption is a method of transmitting data where only the sender and receiver can read email messages. With end-to-end email encryption, the data is encrypted on the sender’s system.  Only the intended recipient will be able to decrypt and read it. Nobody in between can read the message or tamper with it.  End-to-end email encryption provides the highest level of confidentiality and protection to your email communication.

What is not end-to-end email encryption?

For a better understanding of what end-to-end email encryption is, we must first understand what is not end-to-end encryption.

  • SSL/TLS – When you visit https://www.gmail.com, the HTTPS in front of the URL denotes that SSL/TLS protocol has been used to encrypt the data transferred between your computer and the Gmail servers. This protocol is much more secure than HTTP (without “S” = not secure). Most websites adopted SSL/TLS to protect against malicious intermediaries. The downside to relying solely on HTTPS, is that data is only encrypted between your device and the Gmail servers.  Gmail has the keys to decrypt that data.
  • SMTP over TLS (STARTTLS) – Lets take the case of a Yahoo mail users that sends an email to a Gmail users.  When you send an email with SMTP over TLS between these two mail services, the message between the two servers is encrypted on a condition that the recipient server also supports SMTP over TLS (which Gmail does).  Using STARTTLS is a good practice, however several attemps are made to ‘portray’ this as the ultimate email security and privacy solution.  In our opinion STARTTLS is not good enough since both the sending and receiving server have access to the message content.  Moreover, not all receiving servers support STARTTLS.

Because of the imperfections of SSL/TLS and STARTTLS, end-to-end encryption remains the only secure way for your email communication.

How does end-to-end email encryption works?

end-to-end email encryption

Source: https://en.wikipedia.org/wiki/Pretty_Good_Privacy

End-to-end email encryption requires both sender and recipient to have a pair of cryptographic keys.  There is one private key and one public key. The sender encrypts the message locally on his device using the recipient’s public key. The receiver decrypts it on his device using his private key. The process works as follows:

  1. Alice (sender) and Bob (recipient) both generate their keypairs and share eachother public keys.  They keep their private key ‘private’ as the name suggests.  You only need to generate your keys once when creating an encrypted email account.
  2. Alice encrypts the message using Bob’s public key in her device and sends it to Bob.
  3. Bob receives the encrypted message on his device and decrypts it using his private key.

With real end-to-end encryption, also called “client-side encryption” or “zero access”,  all encryption and decryption happen on the users’ devices. End-to-end encryption thus prevents any intermediary from reading user data and guarantees the confidentiality of the data much more than SSL/TLS or STARTTLS.

How to send an end-to-end encrypted email using Mailfence

end to end encryption

Sending and receiving signed and end-to-end encrypted emails using Mailfence.

Yes, Mailfence makes end-to-end email encryption super easy!  No plugins, no key management in separate keystores,…

It is just like any other webmail service, but secure and private.

Advantages of End-to-End email Encryption

End-to-end email encryption has the following advantages:

  • Privacy :  The content of your emails and the attachments are protected from being read by anybody else than the intended recipients. It protects you among others from threats of hackers taking hold of data transfer by sniffing over Wi-Fi/or other channels.
  • More security and authenticity: End-to-end encryption can be combined with digital signing.  A digitally signed and encrypted email proves that the sender is indeed the ‘true’ sender of the message.  It also guarantees that message is not tempered with during transit.  More about digitally signed emails in our next post.
  • Say NO to mass-surveillance : End-to-end encryption protects your messages against mass-surveillance. Check the strong case for encryption post by one of the Mailfence founders.

Why have I not used it before?

End-to-end email encryption exists for decades.  The low adoption has several explanations. First, it is not in the interest of mainstream providers to support end-to-end encryption as their business model depends on advertising and selling user data. Secondly, our governments want to be able to keep a check on our communications. Last but not the least, end-to-end encryption has traditionally been hard to implement and difficult to use and understand.

See also: Secure email: Why end-to-end encryption is at the heart of itOpenPGP encryption best practices

At Mailfence, we have designed an easy to use end-to-end encrypted email.  We believe that users have an absolute and irrevocable right to internet privacy.  In case you want to leave either Yahoo Mail  or Gmail, that do not offer end-to-end email encryption, click on Yahoo Mail or Gmail, .

Join the fight for online privacy and digital freedom.

Reclaim your email privacy!

 

Follow us on twitter/reddit and keep yourself posted at all times.

– Mailfence Team


Spread the word!

M Salman Nadeem

Information Security Analyst - Security Team | Mailfence

You may also like...

3 Responses

  1. March 23, 2017

    […] End-to-end encryption protect your message privacy, while digital signatures provide additional security attributes: […]

  2. May 17, 2017

    […] use all those OpenPGP keystore features without actually using Mailfence’s own OpenPGP based E2EE and Digital Signature features. Use Mailfence as a user-friendly web-based OpenPGP keystore.  […]

  3. July 11, 2017

    […] End-to-end email encryption. What is it and how does it work? […]

Leave a Reply

Your email address will not be published. Required fields are marked *