Assuming that it’s not your first time on the Internet, I’m sure, you have heard about Emails and be using it daily to communicate with online services and other people. But, you’ll be surprised be know, Emails are not as secure as you thought it would be.
For instance, let’s take the old school “sending information via post” scenario. To send a simple greeting card to a friend, all you have to do is write some warm message, add their address, stick the postal stamp and send it. However, if you are writing about your personal life or sending sensitive information like accounting data, tax returns, or checks, you will enclose that letter in an envelope, make sure that all the openings are sealed, and then send it with some you trust. Simply put, the more sensitive the data is, the more precautions you take.
And the same holds true for your emails. However, there are several misconceptions and unknown things about the email encryption. So, here are few things you should know about Email encryption.
Is Email Really Secure?
Yes and not. Most Emails are encrypted by default.
By default, almost all the major email services like Gmail, Outlook, GMX, Yahoo, etc., use SSL/TLS to encrypt Email communications. In fact, when you try to access the webmail client of any email provider, you will see the letters “HTTPS” and the secure padlock icon in the address bar. If you see this, your email communication is encrypted and no one on your network can eavesdrop on your communications. Even when you are using desktop email clients, all the major email providers force SSL/TLS for encrypted communications so that you don’t have to worry.
As good as it is, this type of encryption is not that reliable. Let’s break down the path of Email.
- You Type in a message in you device
- Once you hit send, the message goes from your device to the Email server
- Next, it travels between multiple Email server till it reaches the recipient server
- Finally, the message goes from the recipient mail server to their devices.
Now, if you look closely, there are multiple loopholes here. For instance;
1. Say, if someone has access to the senders or receivers phone, they can open the Gmail app and see everything.
2. Again, there is no guarantee of encryption if you send Email to a different mail provider, like Gmail to Outlook.
3. When asked by the Govt (for terrorist activity or national security), every Email services provider will have to comply and decrypt your emails
4. And then we have Email provider itself who scan your emails for keywords for potential ads or spams.
So, you see, your Emails are not as secure as you thought it would be. Partly because, just like the World Wide Web, Emails were not specially developed for what we use it for today. Emails were invented back in 1960s, as a simple mode of communication; no one knew it would turn out biggest mode of online communication 50 years later.
Your Emails are safe most of the time. Govt and corporates have no interest spying on your Emails. However, if you are sending sensitive data ( we don’t judge), the good news is, you can use Email Encryption from your side as well. And it’s pretty good.
Related: How to add business email to Android
2. What is Email encryption
In simple terms, the email encryption is a means to hide the content of an email from plain sight and authenticating the real intended recipient. Other than the intended recipient, no one, including the actual email provider, government, or even eavesdroppers can access the contents of your email.
Generally, when a user, other than the actual intended recipient tries to access the contents of an encrypted email, all they will see is random text (cipher) that makes no sense. However, the true recipient can easily decrypt that random text with a private key to access the contents of the email.
Here is how an encrypted Email will look in Gmail. (see screenshot below)
3. How Email Encryption Works
There are several methods for sending Encrypted Emails, like signing emails with your own personal email certificates, PKI (Public Key Infrastructure), etc.
However, the easiest and most secure way to encrypt an email is to use the OpenPGP standard. The PGP (Pretty Good Privacy) standard is an end-to-end encryption system that combines symmetric-key cryptography, data compression, public-key cryptography, and hashing to encrypt the email.
When using the OpenPGP standard, you will get a key pair. i.e, two related keys, one public and one private. You can distribute the public key however you want while securely storing and never sharing the private key. When a user wants to send you a secure email, he/she should encrypt that email with your public key. When encrypted, only you can decrypt the email with your own related private key. If you lose the private key, even you won’t be able to access the contents of the email.
4. The Problems with Encrypted Email
When you are encrypting emails, you should also be ready for some problems and inconveniences. Here are some things to know before you start encrypting your emails.
- Understanding and setting up the encryption process on various devices and environments can be a bit tedious. This is especially true if you are a beginner.
- Both recipient and sender should be using the same email encryption method.
- Before you can send an encrypted email, you should have the public key of that particular recipient. Without the public key of the target recipient, you cannot encrypt the email for that user.
- If you lose your private key, you will no be able to decrypt the emails encrypted with your public key. The same is applicable to the other party.
- When compared to the normal email communications, your ease-of-use will be hindered due all the encryption and decryption of data. However, this is a small price to pay for your security and privacy.
- Generally, you can only encrypt the email body. This simply means that a third-party that has access to your email account can still see the email address of the recipient and the subject line of the email.
5. When to Use Encrypted Email Services
The good thing about these services is that they will remove all the tedious process and lets you encrypt all your messages with your own password on the server level. This ensures that no one, including the email provider and government entities, can access your emails without your knowledge.
However, the downside is that you can only send encrypted emails within the service. i.e, both users should have an account with the same email provider. If you are sending emails to other providers then the emails will not be encrypted. Moreover, the downside of using Encrypted Email Services is that you are relying on a third-party for your security and privacy.
So, if you want ease-of-use and don’t mind relying on a third-party to ensure your safety and privacy, then do try encrypted email services.
6. Encrypting Emails v/s Encrypting Mail Servers
Encrypting Emails: as we discussed earlier, when the emails are encrypted with your public key, no one but the intended recipient with the private key can decrypt and read the contents of the email. This holds true even when your email account is compromised by hackers or a government entity. That being said, in situations where your email account has been compromised, the third-party may be able to see the subject lines and the email address of the user with whom you are communicating with.
Note: The subject line is not Encrypted in Email Encryption.
However, when you are using Encrypted Email Services like ProtonMail, all the content including the email address and subject line will be encrypted at the server level with your own password. Without the password, no one can decrypt your information.
Encrypting Email Servers: When we say Encrypting Email Servers, we are talking about the SSL/TLS encryption provided by almost all the major email providers like Gmail and Outlook. This encryption method ensures that your emails are secure and no one can intercept or access them while they are in transit. However, if a third-party has access to your email account, they can access all your emails without any difficulty. This is because, while at rest, the emails are unencrypted.
That being said, even if your email provider is providing SSL/TLS encryption, if the receiving party doesn’t support it, the email will be transferred without any encryption. Moreover, it may even be prone to man-in-the-middle attacks.
So, if you want to protect your emails for privacy and security reasons, then you are better off using the Email encryption to encrypt the emails and then send them through the Encrypting Email Servers. This approach ensures that your email will be safe and secure while it is bouncing around on the internet and when it is in the resting position in your inbox.
However, like everything in the world of security, Email encryption is also not 100% secure. Agency can track you, various actions you took before and after sending emails, metadata like – login IP, User Agent, Browser ID etc.
Hope that helps and do comment below sharing your thoughts and experiences about things you should know about email encryption.