Paranoid Email: End-to-End Encryption Primer

Over the past decade, Twilio SendGrid has embraced Transport Layer Security (TLS) encryption as a way to protect outbound emails as these travel between servers.

In a digital world rife with cyberattacks, implementing true end-to-end email encryption for sensitive emails has become increasingly necessary.

But what exactly does this mean? This post provides an overview of what end-to-end encryption is and the types of surveillance it protects users from.

Bulk vs. targeted surveillance

Simple Mail Transfer Protocol (SMTP) with TLS protects “data in motion.” So when you submit an email to SendGrid using TLS, we encrypt it as it travels from your mail server to our mail servers. We then attempt to send it to your recipients over a TLS-encrypted connection. If their mail server supports TLS, we’ll send an encrypted version of your email, ensuring that passive surveillance devices will only see ciphertext.

This method is effective against passive bulk surveillance techniques—like the National Security Agency tap at AT&T’s backbone facility. However, a determined attacker who has the technical means could perform a targeted “man in the middle” attack on the TLS connection. With their own certificate and key, the hacker can decrypt the ciphertext and capture the content before reencrypting it and forwarding it to the legitimate destination server.

As cyber attackers continue to evolve their methods, it’s important to develop solutions that counter their more aggressive approaches—whether through Java-encrypted email or other techniques.

End-to-end email encryption

To defeat active attacks against SSL and TLS, users can implement end-to-end or “data at rest” email encryption using languages ​​like PHP or Java.

Public key encryption solutions for email have been around since the 1990s. The first successful implementation was Pretty Good Privacy (PGP), created by Boulderite Phil Zimmerman back in 1991.

PGP was the focal point of the crypto wars (that’s short for “encryption,” not “cryptocurrency”). At one point, Zimmerman famously published the source code as a hardback book via MIT press and distributed it under First Amendment protections. However, PGP never really saw commercial success, perhaps because the technology was too hard to use. GNU Privacy Guard (GPG) is an alternative to PGP available under General Public License.

Another type of end-to-end encryption is Secure/Multipurpose Internet Mail Extensions (S/MIME), a standard for public key encryption developed in 2004. S/MIME leverages X.509 certificates instead of PGP keys. While relatively obscure, popular mail clients like Outlook, Mail.app, and Thunderbird have supported it for years—as long as you have the right third-party plugins installed, that is. Apple has also supported S/MIME encrypted email on iPhones/iPads since 2012, with the release of iOS 5.

One major criticism of S/MIME is that its security model depends on trusting public certificate authorities, which have suffered serious compromises that undermines the whole system. In fact, the public key infrastructure (PKI) on which the entire internet depends is only as strong as its weakest link.

Although this topic may go beyond the scope of this blog post, it’s important to note your browser depends on the public PKI. So, for most people, S/MIME and publicly trusted certificates should provide reasonable security.

If you believe that you are subject to targeted surveillance and need end-to-end email encryption, you can still realistically use S/MIME with self-signed certificates. However, you should verify the certificate fingerprints for the parties you communicate with out of band, just like you would verify PGP key fingerprints.

Read more about the different types of encryption in our email encryption FAQ.

Google and end-to-end encryption

It’s important to note that, despite adding sections to its Transparency Report to address email security concerns, Google doesn’t offer true end-to-end email encryption. Google’s TLS encryption ensures that no one’s looking at your email en route from point A to point B; however, it doesn’t guarantee that the message will remain private once it reaches the destination server. In fact, Google itself scans your inbox to power its smart features and flag suspected spam.

Additionally, Google only supports S/MIME encryption if the sender and receiver use paid Google Workspace Suite accounts and exchange security keys during initial configuration. While Google has talked about end-to-end encryption since 2014, it has made little progress to date. Currently, the only way to get that level of protection is to rely upon third-party service providers to bridge the gap.

Send secure emails with Twilio SendGrid

Now that you know a bit about PGP/GPG and S/MIME, which one would you choose? As we mentioned above, Outlook, Thunderbird, Mail.app, and iPhone/iPad have native support for S/MIME. We can walk you through the setup process in our post, End-to-End Encryption with S/MIME.

To learn more about securing your outbound emails, check out How to Send a Secure Email for Access and Delivery. If you’re ready to start sending secure emails, try SendGrid for free.