Reading Time: 5 minutes

šŸ’” TL;DR

  • End-to-end Encryption (E2EE) is a method of information transmission in which data is encrypted in the senderā€™s device and decrypted only after reaching the receiverā€™s device.
  • In theory, E2EE offers perfect data protection in transmission. This means no service providers or hackers can get access to usersā€™ data without permission.
  • However, if the senderā€™s device or the receiverā€™s device is compromised, or there are backdoors into the encryption algorithms, information can still be compromised.
  • End-to-end encryption is currently the most secure way to transfer confidential data, and thatā€™s why more and more communication services are switching to it.

Introduction

Today, thereā€™s more interest in secure and private online communication than ever. One tool used by many modern communication services, particularly text-based messaging apps, is end-to-end encryption (E2EE). But what does end-to-end encryption really mean? How does it work, and whatā€™s unique about it?

Without getting into complicated mathematics and technical terms, weā€™ll tackle these questions in the following article.

What is end-to-end encryption?

The best way to understand end-to-end encryption is to put it in contrast to a less secure method called encryption-in-transit.

With encryption-in-transit, information will typically be encrypted on the userā€™s device and sent to the server. There, it is decrypted for operation, then encrypted again and sent on to its final destination. Information is encrypted when itā€™s in transit, and only becomes decrypted when it reaches the endpoint or the server; thus, the information is protected throughout the transmission.

Encryption of data at rest and data in transit (Source: Trailhead)

On the other hand, end-to-end encryption is executed by encrypting the data on oneā€™s device and not decrypting it until it arrives at the intended destination. As a result, even the service provider of this data transmission cannot read the content of the information when it goes through since the content looks like gibberish to anyone except the sender and the intended recipient.

an illustration showing how e2ee works
E2EEā€™s encryption mechanism (Source: Heimdal Security)

How E2EE works

E2EE ensures the message can only be encrypted and decrypted by the sender and the intended recipient.

To do this, a ā€œsecret keyā€ that only the two parties know is required. In an end-to-end encryption system, the messaging process starts with something called a key exchange (more on that here).

Simply put, this key exchange mechanism allows two parties to arrive at the same secret key that is impossible for any third parties or the service provider to figure out. This key will then be used to encrypt the data. As no one else has access to the secret key, intercepting the transmission of E2EE encrypted data is impossible.

This method is often associated with a high level of security and privacy. E2EE is ā€œend-to-endā€ because it is impossible for anyone in the middle to decrypt the message. Users do not have to trust that the service they are using will not read their messages: it is not possible for the service to do so.

Imagine if, instead of sending a letter in an envelope, someone sent it in a locked box to which only they and the predetermined recipient had the key. It would then be physically impossible for any authorized individual to read the letter. This is essentially how E2EE works.

How data is secured for the entire journey between endpoints or meeting participants (Source: RingCentral)

Advantages of E2EE

The main advantage of end-to-end encryption is quite obvious: it ensures the privacy and safety of your communication. It is as if when you mailed a letter you put it in a box that was physically impossible to open ā€” immune to any sledgehammer, saw, lock-pick, and so forth ā€” except by the addressee.

In a deeper sense, this means:

  • Your data is secure from hacks: With end-to-end encryption, you and the other party of the conversation are the only ones having the private key to unlock the data. It doesnā€™t matter if the server is breached; your data is safe.
  • Your privacy is protected: When you use providers like Google and Microsoft, your data is decrypted on their servers. This means they can read it. And if they can access your data, so can hackers.
  • Admins (servers, apps, third parties, etc.) are free from data-keeping tasks, and are less vulnerable to attacks: Admins arenā€™t honey pots. They donā€™t control data access, so they canā€™t be leveraged as a single point of vulnerability.

Drawbacks of E2EE

E2EE provides perfect protection over the content of usersā€™ data. Still, there are some drawbacks to this technology:

  • E2EE secures the content of data from any eavesdropping attempts by third parties. However, context information ā€“ senderā€™s and receiverā€™s identity or the time the info was sent ā€“ is not protected.
  • Compromised endpoints: third parties can get access to the information if they have access to the senderā€™s or receiverā€™s device.
  • E2EE can provide criminals with a communication channel free of authoritiesā€™ detection.

On top of these drawbacks, there is also an argument about end-to-end encryptionā€™s backdoors.

In cybersecurity, a backdoor is a way around a systemā€™s normal security measures. Imagine a completely secured building with multiple locks on all the doors ā€” except for a hidden door in the back that is left unlocked and that only a few people know about. An encryption backdoor is just like that: it is a secret way to access data that has been ā€œlockedā€ by encryption.

There have been a few cases where a service claimed to offer secure E2EE messaging but actually had built a backdoor into their service. They may do this for a variety of reasons: to access user messages and scan them for fraud or other illegal activities, or to outright spy on their users.

E2EE In Action

Ready is a messaging app that offers E2EE for privacy and security. (Source: Ready)

If youā€™re looking to get started with end-to-end encryption, or simply want to understand better its mechanism, here are some apps and services that offer it:

You can also get end-to-end encryption with email. Here are a few apps that feature end-to-end encryption, though it might require more steps, and likely integration of E2EE extension from both the sender and receiver:

Concluding Thoughts

E2EE presents itself as one of the solutions for the growing need for information security on the internet. E2EE is here to stay, and will potentially be a significant aspect of the internet in the future. Thus, understanding the technology behind E2EE is essential to keep up with the changing tide of the online landscape.