Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Is universal end-to-end encrypted email possible (or even desirable)?

Maria Korolov | Sept. 19, 2017
End-to-end email encryption is getting more attention as security and compliance concerns mount, but practical use cases are rapidly being eaten away by other technologies.

If the communications don't involve documents but simply require short, secure messages, a new crop of mobile-first messaging platforms like Whatsapp and Signal are built with end-to-end encryption right from the start.

For companies that are concerned about hackers listening in to messages in transit, most of the major email providers currently support SSL or TLS to ensure that the communications are encrypted while in transit. In addition, major services like Gmail and Office 365 also offer encryption for data at rest.

"When the actual transmission was clear text, it [end-to-end email encryption] made perfect sense," says aid Morey Haber, VP of technology BeyondTrust, Inc. "Now that most transmission is encrypted, you've eliminated a whole use case for [end-to-end] encryption."

For business users traveling abroad, or logging in from public wifi hotspots, secure VPNs are standard tools used to protect their communications.

Finally, users who just need to send a single encrypted file to someone can simply encrypt it on their desktop. On Windows, for example, they can just open the file's Properties and turn on encryption. Then they can send the file as an attachment to their friend, and tell them the password by phone or text message.

 

The encrypted email systems companies use

Some companies still use end-to-end email encryption for communicating sensitive information to customers or for internal communications. They either use encryption add-ons for their existing enterprise email platforms, or use new cloud-based services. Typically, the end-to-end encryption is used just for a subset of messages, often in combination with data loss prevention tools, or for particularly sensitive projects.

"I expect if you did a lot of communication with China or Eastern Europe, you'll be using ProtonMail a lot," says Rob Enderle, principal analyst at Enderle Group. "In any kind of environment were the government looks at communications, something like ProtonMail or an end-to-end scheme is going to be safer because the government can't get them to give up the keys."

In particular, it makes sense to go with a provider that doesn't have a big presence in that country, he says, because if it does, the government can lean on the provider and, in effect, hold the investment at ransom. In fact, both China and Russia have cracked down recently on VPN providers, and Apple was forced to remove VPN apps from its App Store in China this summer.

In other countries, courts may require email services providers to turn over customer data. For example, email provider Lavabit shut down its services in 2013 after the U.S. government ordered it to turn over its encryption keys to get access to Edward Snowden's email. This year, Lavabit relaunched with a new end-to-end encryption system, one in which only the customer, not the email vendor, has the keys.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.