Encrypted Email: Fact vs Fiction

TL;DR

Encrypted email isn’t a magic bullet. It protects the contents of your message, but not necessarily everything about it. Here’s how to understand what encryption does and doesn’t do.

Understanding Email Encryption

Email wasn’t originally designed with security in mind. It travels across many servers before reaching its destination, making it vulnerable. Encryption scrambles the message so only the intended recipient can read it. But there are different types of encryption and levels of protection.

Checking Email Encryption Statements

1. Statement: “If I use a webmail provider that says it encrypts my emails, everything is secure.”

• Incorrect. Most webmail providers (like Gmail, Outlook.com) use Transport Layer Security (TLS) to encrypt the connection between your computer and their server. This protects your login details and the email while it’s in transit to them. It doesn’t usually protect the contents of the email once it’s stored on their servers or when sent to another provider.
• What to check: Look for end-to-end encryption (see step 3). TLS is good, but not enough for highly sensitive information.

Statement: “Using ‘Confidential’ in the email subject line encrypts the message.”

• Incorrect. The ‘Confidential’ flag is just a marker; it doesn’t actually encrypt anything. It’s a polite request, not a security measure.
• What to do: Don’t rely on this for security. Use proper encryption methods instead.

Statement: “End-to-end encryption means only the sender and receiver can read the email.”

• Mostly correct. End-to-end encryption (E2EE) uses keys that are unique to each conversation, meaning even the email provider can’t decrypt your messages. Services like ProtonMail and some features in others offer this.
• Important: The recipient must also use E2EE for it to work. If they’re using standard email, you’ll likely need a separate tool (see step 4).

Statement: “Encrypted emails hide my sender address and IP address.”

• Incorrect. Encryption protects the message content, not your metadata. Your email headers still contain information like your sender address, recipient address, timestamps, and potentially your IP address (although this can be masked with a VPN).
• What to consider: Metadata is valuable to attackers. Use privacy-focused email providers or tools that minimise metadata collection if you need extra protection.

How to Improve Email Security

1. Use a Secure Email Provider: Consider ProtonMail, Tutanota, or Startmail which offer end-to-end encryption by default.
2. Enable Two-Factor Authentication (2FA): This adds an extra layer of security to your account. Most providers support this using apps like Google Authenticator or Authy.
3. Verify Encryption: If you’re unsure if an email is encrypted, check for a padlock icon in your webmail interface and look for confirmation messages from the provider.
4. PGP/GPG Encryption (Advanced): For maximum control, use Pretty Good Privacy (PGP) or GNU Privacy Guard (GPG). This requires more technical knowledge but offers strong encryption. You’ll need to install software on your computer and exchange public keys with recipients.

   gpg --gen-key

5. Be Careful of Phishing: Encryption won’t protect you from clicking malicious links or downloading attachments from untrusted sources. Always verify the sender’s identity before interacting with an email.