Using Encrypted Email Requires a HUGE Leap of Faith

There are a lot of services popping up offering encrypted email. They claim secure end-to-end encryption of emails with zero knowledge of keys and passwords used for encryption. It’s all seamless and requires no special action on the part of the user except to use their web interface or mobile app. The encryption happens locally on your device using JavaScript and no unencrypted data leaves your device. The keys are generated on and stay on your device as well as the password you use for encryption.

It’s an incredible bundle of awesomeness, right?

Well, just remember you are at the mercy of the site to not capture the keys and encryption password in the JavaScript library they provide to handle the encryption. Depending on the laws and treaties of the jurisdiction where they are located, they could be compelled to alter their script to capture the keys and passwords at any time without your knowledge. They could be prevented from even notifying you they were required to do this.

Unless you have intimate knowledge of encryption and examine every line of JavaScript they used to handle the encryption you don’t really know what’s happening. If you don’t have the knowledge, perhaps you know someone you completely trust who does. But then what if they were compelled to not disclose the JavaScript was changed in the same way the site was compelled to change it? Then there’s the elephant in the room, you’d have to re-examine the code every time you used the site and by used, I mean every time the page is refreshed or reloaded.

In other words, it’s just not practical.

As for the mobile apps, you’d have to decompile each and every version and examine the code line by line before relying on it.

Again, in other words, it’s just not practical.

The bottom line is even if these encrypted email offerings come from people and organizations with the best of intentions are honest and honorable beyond question… you still don’t know. You still must take a leap of faith and pretend your emails are 100% secure for all of time.

Depending on why you want your emails encrypted that could be a huge mistake.

The more secure way to encrypt your emails is to use public key cryptography. That requires you to generate your own private/public key pair and exchange public keys with anyone with whom you want to exchange encrypted emails. As long as your private key is not compromised emails you receive remain securely out of reach of any prying eyes. As long as the private key of those receiving encrypted emails from you aren’t compromised the emails you sent remain securely out of reach of prying eyes.

Do you see the weakness even with public/private key email cryptography?

No? Okay, walk with me. Do people get into trouble because of emails they receive or because of emails they send?

Since you can’t control whether your recipients’ private keys are compromised, you are still taking a big leap of faith any emails you send will remain encrypted and out of reach of prying eyes.

But all is not lost. The first question you have to answer is, “Why Do You Want Encrypted Email?” Once you have that question answered it’s easier to evaluate the current secure email offerings available.

Leave a Reply

Close Menu