26

We are all used to reading web pages protected by HTTPS. It has, as far as I (as a user of a browser) can perceive, zero cost. Contrarily, encrypting an email is inconvenient to both sender and receiver. When I attach a sensitive pdf encrypted by Adobe with a password, and send it through Gmail with password included, does it make any difference? explores some of those difficulties.

From a non-technical point of view, there does not seem a great deal of difference between transmitting a web page and an email – some data is transferred from one IP address to another. Sorry if that is too naïve, but I don’t understand why TLS/HTTPS technologies cannot be applied to email transmission.

Is it simply that email applications have not developed embedded encryption, or is there more to it?

I don’t understand security details, so would appreciate a non-technical answer.

Improve this question
5
  • 15
    Two words: certificate management. And there is quite a lot of difference between a web server and browser and emails being sent. For web mail, TLS applies, For a lot of server-to-server communication, TLS applies. What do you want encrypted and why? Who are you wanting to protect the emails from? There's a difference between encrypting the transmission (that's already being done, just like web) and encrypting each email from anyone reading it except you. Commented Jul 27, 2024 at 16:13
  • 2
    Related: security.stackexchange.com/questions/67285/… Commented Jul 27, 2024 at 16:15
  • 3
    See moxie.org/2022/01/07/web3-first-impressions.html for an interesting read on why the decentralized nature of email has resulted in very slow adoption of any e2ee standard for email. Commented Jul 27, 2024 at 21:39
  • In fact the SSL/TLS encryption of emails in transit started to be used shortly after it was started to be used for HTTP (it will be 30 years soon). --- The simplest transit path of an email is more complex than the simplest transit path of a web page. This hides the important aspects from you. Commented Jul 29, 2024 at 8:59
  • 2
    two biggest problems of secure email: 1) TLS downgrade. Most e-mail servers will revert to unencrypted when they can't establish SSL. 2) The domain does not map to a single server. This is the biggest issue as the domain of an e-mail address doesn't really map to a specific server... mx record lookup host(s) I believe this is the issue IETF is currently trying to fix somehow. (you can't check via CA in the same way because of this) Commented Jul 29, 2024 at 20:44

6 Answers 6

Reset to default
46

You need to differentiate between data encryption in transit and encryption of data at rest.

We are all used to reading web pages protected by HTTPS.

When you submit a form on a website the data is indeed encrypted using TLS while it is sent to the server. But that doesn't mean that the data is protected once it reached the server. As far as we know, the website could even decide to save the data in a publicly accessible text file.

Mails do also use encryption for data in transit most of the time using TLS. But that doesn't mean the mail is protected on the mailserver itself.

E2ee would require the sender and receiver to manage encryption keys, this is too complex. Especially if you are mailing multiple people or are mailing people using other mail services.

Note that a lot of enterprise packages like Microsoft Office 365 do support e2ee for enterprises, only internal mails are encrypted though. For internal mails it is possible because the certificates can be managed centralized by the enterprise using it.

Improve this answer
9
  • 66
    "As far as we know, the website could even decide to save the data in a publicly accessible text file." – Example: this very comment. It was submitted through TLS, but is readable by anyone. Commented Jul 28, 2024 at 9:09
  • 2
    Note that the "in transit" part may be quite automatic but is still mostly opportunistic today. Without a few somewhat annoying precautions, when Alice sends mail to Bob, she might happily transfer it to Eve as long as the transit is encrypted. Commented Jul 28, 2024 at 10:16
  • 2
    Is managing keys too complex though? Whatsapp and SIgnal face the same challenges, and yet they are end-to-end encrypted. Commented Jul 30, 2024 at 17:07
  • 2
    @FedericoPoloni each of those systems is entirely under their control, so they can decide on the system and then use it. Whereas every domain controls it own email server and chooses what software to use for it. Commented Jul 30, 2024 at 17:42
  • 1
    @AlexanderThe1st As far as I know, in Whatsapp and Signal if you lose your password you lose access to previous messages (which is fair, since otherwise it wouldn't be E2E encrypted, but probably annoying for e-mail users), and you can register a new managed key using your phone number as verification. For e-mail, I imagine the verification could be an external e-mail address or a phone number; so one of the standard methods for password recovery already in standard use. Commented Jul 31, 2024 at 9:51
24

TLS is used for e-mails. It's common to encrypt e-mails in transit with the SMTPS protocol (SMTP on top of TLS) or opportunistic TLS with the STARTTLS command.

If you're instead talking about end-to-end encryption between sender and receiver, then you can use S/MIME which uses the same trust model and certificate format as TLS. The sender just has to get a certificate of the receiver (e.g., through an address book, a previous e-mail or any other channel) and check that the certificate has been signed by a trusted certificate authority (CA). Then they can encrypt the e-mail based on the public key within the certificate.

Of course the receiver has to obtain a signed S/MIME certificate from a CA, which may or may not be difficult. Some companies, research institutes and universities issue certificates for all employees, in which case there's no effort for the individual person. But in a private context, it's of course entirely up to you to contact a CA and go through their authentication procedure.

Improve this answer
19

Viewing a web page involves a relatively direct, two-way interaction between a computer operated by the publisher of the page (or their chosen representative) and a computer operated by the viewer. In this interaction the two machines can exchange information to negotiate, set up and verify a temporary encryption system. Each side can check what sort of encryption technology the other side supports, to either find something mutually acceptable, or alternatively declare the communication impossible.

Only one of the parties (the publisher) needs to have a secret key set up advance. At the start of the interaction the publisher's machine will share some information related to that secret (a certificate) with the viewers machine, and the viewer can check that, then make their own temporary secret and share information about that with the publisher.

Email does not involve a direct interaction in the same way. It's designed so that the two parties do not have to be online at the same time, and the message can be handled by intermediaries, potentially being delivered a few days after it was sent. This makes it a lot harder to exchange the necessary information to set and verify a secure channel, and a lot harder to give useful feedback to the user(s) in case something goes wrong.

Improve this answer
5
  • 2
    Nice answer. If Alice knows Bob's public key (and has verified that it is in fact Bob's true and correct public key), then Alice can encrypt a message to Bob using Bob's public key, and send the encrypted message to Bob, even through multiple intermediaries, and even if it takes days to make its journey. But, this lacks forward secrecy. The problem becomes more difficult if Bob and Alice want to have perfect forward secrecy in this asynchronous environment, but we now have Signal protocol which solves that problem. Commented Jul 28, 2024 at 14:10
  • 2
    While the other answers are not particularly bad, this is the core reason - synchronous and strictly controlled (via HTTPS standards) web browsing vs. asynchronous and very, let's call it "flexibly", standardized email. Commented Jul 29, 2024 at 13:42
  • Is it that hard though? Whatsapp and SIgnal face the same challenges, and yet they are end-to-end encrypted. Commented Jul 30, 2024 at 17:05
  • @FedericoPoloni I belive WhatsApp and Signal both rely on the central service operated by the company to be trusted by both parties to identify each other at the start of the conversation. Email doesn't have a central trusted service that all parties connect to. There's no sense in sending an encrypted message if you don't know who the person with the key to read it is. Commented Jul 30, 2024 at 18:36
  • @bdsl Yes, but even without trusted authority a TOFU framework (like XMPP uses) is possible, and it would already be much better than the current state. Commented Jul 31, 2024 at 9:54
15

To be clear, you easily can use the same cryptographic technology to encrypt emails and there exist standards and tools for doing this (PGP). But, it's not widely used. Why? Let's see how HTTPS works, very simplified:

  • The owner of example.com has registered their public key in a trusted public database (Certificate Authority)
  • The reader's browser looks up the public encryption key of example.com in the public database.
  • The reader's browser uses this public key to send an encrypted message that only example.com can decrypt. (This message can contain another encryption key that allows arbitrary further encrypted communication.)

So this process relies on public key infrastructure (PKI) where you have a trustworthy way to look up the public key. You could use the same infrastructure for encrypting mail to gmail.com, but you want to send mail to [email protected] that only Alice can decrypt (not Google). That means you need to solve two annoying problems.

  1. You need a trustworthy database to look up Alice's specific public key. You really need a whole PKI that average email users like Alice have to deal with, like publishing their public keys.
  2. Alice has to manage her private encryption key, i.e. keep it safe, use it across any devices she wants to use email on, transfer it when one device dies and she gets a new one, etc.

My personal opinion is that if Google and Microsoft wanted to make end-to-end encrypted email easy to use and widespread, they could address these challenges to a large extent. But those companies don't benefit by not being able to read their users' email, and they don't want to deal with hassles like users getting locked out of their own email accounts, so they don't.

Improve this answer
5
  • 6
    Nice answer. But, FYI: For TLS on the web, there is no trusted public database where browsers look up certificates for domains. The web server for a domain sends its certificate to the browser during the TLS handshake, then the browser verifies that the cert is signed by a CA that it trusts. See security.stackexchange.com/questions/20803/… for more info. Commented Jul 28, 2024 at 13:06
  • 2
    @mti2935 Right. In fact is only the Certificate Authority that puts their details in a trusted public database (distributed by OS & browser vendors) Commented Jul 28, 2024 at 14:30
  • I honestly don't understand why the key database is not put on the email address host server. No need to trust anything if the servers domain name matches with the public certificate then the public key for the email address can be trusted. Commented Jul 28, 2024 at 16:44
  • 11
    @DragonCreature Suppose my email address is m*****[email protected]. I want to be sure gmail is not eavesdropping on my messages, so I encourage my senders to encrypt messages that they send to me using my public key. But, if I can't trust gmail to not eavesdrop on my messages, then how can I trust gmail to serve my true and correct public key to my senders?? gmail could simply serve its own public key, then decrypt messages sent to me using the corresponding private key. Commented Jul 28, 2024 at 17:23
  • 2
    @mti2935 The fact that the storage of the database of trusted keys is distributed out among all the servers using said keys and the integrity is verified by way of signatures doesn't make it any less a database. It's just heavily optimized for distributed storage and lookup at the expense of pretty much everything else. Commented Jul 28, 2024 at 19:48
2

Your assumption is wrong.

Your e-mails actually are encrypted the same way that web pages are. It's just that there are two hops, not one.

Due to the asynchronous nature of e-mail, it gets delivered first from the sender to an e-mail server(1). This connection is commonly encrypted, with TLS just like your web browser does it.

Then, when you read your mails, your client connects to the server to download the mail, and again this connection is typically encrypted.

What might confuse you is that for e-mail there is also another way to encrypt them, such as PGP or S/MIME. These are end-to-end encryption schemes, and because they are not using a live connection, there is no key negotiation, so you need to exchange keys beforehand or use a PKI to fetch them.

(that's all somewhat simplified, but should cover the main things)

(1) actually often to the sender's e-mail server but again, I'm simplifying things a bit.

Improve this answer
0

For a website, the sender knows the unencrypted data, and encryption can be set up spontaneously when I request the website from the server.

For an email from arbitrary A to arbitrary B you don’t want the server to be able to read the email. And A and B cannot communicate because all that A has is Bs email address; it cannot find Bs computer (and there may be more than one), and the computers are often not turned on and connected to the internet at the same time. So lots of things that https can take for granted are not there for email.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.