E2EE (and why you need it)

4 min read

Who should have the right, or even the opportunity, to read your emails? The obvious answer should be; I who send and you who receive the message.

Did you know that forms in your website that are sent by email are sent in plain text that can be easily captured and read along the way? Protect with E2EE.

In reality, it does not work that way at all. In fact, there are quite a few who have access to your digital communications; everything from the staff who take care of the systems that handle your messages, to cybercriminals who break in or steal on the road, to authorities who, under various pretexts, request access.

And when a message is sent, data is created and saved in the form of cache, intermediate storage, various logs, metadata, etc. In some cases, for example, your message can be saved complete with not only the content in clear text, but also info about sender, recipient, time and a lot of other sensitive data, in a forgotten server log somewhere.

This also applies to all web forms that use e-mail as transport, something that is often forgotten in these contexts. When we mention “e-mail client” in this article, we also include the web forms that are sent via e-mail.

“Regular e-mail” is always sent in full text via insecure transport routes. Some e-mail servers and e-mail clients create encrypted tunnels for the actual transport, others do not. Everything is saved in clear text in the e-mail boxes, everything is logged and is traceable, often entire messages in clear text can end up in, for example, error logs. Security and anonymity are virtually non-existent.

Email system as such transports plain text messages that are completely lacking in security. Can be compared to sending postcards with the help of passers-by.
Ordinary e-mail, everything is sent and saved in plain text, sometimes the transport is encrypted

An important first step in protecting e-mail messages is to require the creation of secure transport between sender and recipient via an encrypted tunnel (SSH/TLS). The message is still sent and saved in clear text and creates a trace but is protected from being stolen during the actual transport (MITM, Man-In-The-Middle attacks) between the clients and the server systems.

The first step towards a more secure e-mail system was to create encrypted transport paths between e-mail servers. However, the encryption is optional.
E-mail is sent and saved in plain text but with secure transport via encrypted transmission

The next important step is to also protect the server systems by encrypting hard disks and databases as protection against data loss through, for example, burglary or theft of hardware.

Regular (unsecured) email can be read by anyone who can intercept the message in transit. Encrypted tunnels between servers are not a requirement.
E-mails are sent and saved in clear text with secure transport and secure servers

In the third step, which is becoming more common, the message itself is also encrypted when it is transported between servers and when it is saved in the server system. This is often marketed as a secure encryption system but it is important to note that the message can still be read by the systems and anyone who has access to them.

If an encrypted e-mail is sent to someone who does not have the function, the recipient receives an e-mail with a link to a web-based e-mail client where the encrypted message can be read and often also replied to.

E-mail is handled encrypted internally in the e-mail systems and transported via encrypted tunnels where such exist. The systems can still read all messages.
Email encrypted in and between servers

In a fourth step on the security ladder, the e-mail message is encrypted/decrypted in the e-mail client, so-called E2EE (End-to-end encryption), and can thus not be read by unauthorized persons in any context. Otherwise, most things work as in step three, but with the difference that the message is and remains encrypted during the entire transport and when it is archived.

An E2EE encrypted email is already encrypted in the email client, sent through encrypted tunnels to the recipient who decrypts the message in their client.
E2EE encrypted email, encryption/decryption takes place in the email client

Anonymity is also very important in these contexts but often completely overlooked. In addition to the e-mail itself, a lot of information about the message is created in different caches, in cookies, as metadata and not least in different logs. This happens in all parts of the chain; on the client computer, in the client’s browser and in all server systems that somehow handle the message. With the right tools and knowledge, in fact, most e-mails, also “secure” ones, can be tracked all the way and sometimes even completely reconstructed.

You, who in some way handle sensitive information and need to communicate via e-mail and web forms therefore need anonymized E2EE for your communication.

Scroll to Top