End-to-end encryption explained

End-to-end encryption (E2EE) is a method of encoding messages sent from one endpoint to another. E2EE ensures that the data encrypted at the sender’s end can only be decrypted by its receiver. This way, the message stays disguised throughout its journey through intermediate servers, and neither the network service provider, the internet service provider (ISP), nor any third party can access it.

Let’s say you sent a message through a service that is using a standard Transport Layer Security (TLS) encryption, and not the E2EE. Your message would be decrypted once it reaches the midpoint server, allowing the entity controlling that server (e.g., a service provider) to read the content of your message. Meanwhile, E2EE guarantees that your message in transit is only legible to its intended receiver and not comprehensible to ISPs or third parties.

End-to-end encryption provides more privacy and online security when sending messages or sensitive data over various networks.

End-to-end encryption works by passing through the following stages:

1. Generating encryption keys. The system using end-to-end encryption generates a pair of cryptographic keys – a public and a private key. The two public keys are shared between the sender and receiver, while each has their own private key.
2. Encrypting. When the sender sends the message, the E2EE algorithm encrypts it with the recipient’s public key. Afterward, only the recipient is able to decrypt the message using their private key.
3. Sending. During its transit to the receiver, the encrypted message is illegible even if someone intercepts it. The interceptor couldn’t decipher the encryption without the receiver’s private key.
4. Decrypting. Once the recipient receives the encrypted message, their private key decrypts it and makes it legible.

Different types of encryption are used for different purposes. Let’s look into other common encryption methods and how they differ from end-to-end encryption:

• E2EE vs. data-at-rest encryption (DARE). E2EE keeps the data in transit encrypted until it reaches its destination. In contrast, DARE encrypts data stored in various devices and servers. DARE helps ensure that even if the device is stolen or the server is hacked, no one can access the stored information.
• E2EE vs. link encryption. E2EE encrypts the data at the sender’s end and decrypts it only at the endpoint. Meanwhile, link encryption is typically used for specific data paths, such as satellite or telecom links, which means that once encrypted at the starting point, the data is decrypted and re-encrypted at each connection node.
• E2EE vs. Transport Layer Security (TLS). Using E2EE, only the recipient can decode the message because the ISP that handles the transmission doesn’t have the private key for decryption. It’s another story with TLS. Since TLS encrypts communication between web browsers and web pages, the service provider can see the data stored in plain text at a website server’s endpoint.
• E2EE vs. point-to-point encryption (P2PE). E2EE encrypts and decrypts data only once. However, P2PE allows the data decrypted at the endpoint to be encrypted once more and sent to another endpoint.

At a first glance, E2EE may look similar to a VPN, which also encrypts data in transit. However, these tools are used for different purposes. End-to-end encryption ensures that when two parties communicate online, only they can access the shared data. On the other hand, a VPN protects data in transit between a user device and a VPN server.

While E2EE focuses on encrypting only the message sent between the endpoints, a VPN uses next-generation encryption to provide a broader scope of disguise, encrypting all of the user’s internet traffic and metadata and providing a secure tunnel for data to travel.

E2EE plays a significant role in securing instant messaging apps. For instance, WhatsApp and Signal use E2EE for all the messaging and calls by default. Telegram, Facebook Messenger, and Instagram offer end-to-end encryption as a specific feature that can be turned on manually. Below are the instructions to turn on E2EE on each of these platforms.

To turn on E2EE on Telegram:

1. Click on the three dots that you can find below your profile picture.
2. Choose “Start secret chat.”

You can enable Instagram end-to-end encryption by:

1. Tap the arrow in the top right corner of the Feed page.
2. Tap the writing icon in the top right corner.
3. Tap the lock icon next to “End-to-end encryption.”
4. Choose the people you want to start an E2EE chat with, or use the search bar at the top to search for their names.
5. Tap “Create chat” at the bottom of the screen.

To enable end-to-end encryption in Messenger, follow these steps:

1. Go to your chats and press the writing icon at the top right corner.
2. Tap the lock icon to enable end-to-end encryption mode.
3. Choose the people you want to start an E2EE chat with or use the search bar at the top to find their names.

E2EE can also be used to safeguard email communication or shared files so that only the users, without the peeking of an ISP or the email service provider, would be able to access the data in transit.

E2EE can increase the security and privacy of your online communication. Let’s look into what end-to-end encryption can protect against in more detail:

1. Unauthorized interceptions. Using E2EE, only the sender and the receiver have the means to decrypt the data in transit. Even if the message gets into the hands of a third party, it will be illegible to it.
2. Data breaches. Even if the servers of the webpage you visit and use get compromised in the case of a data breach, the hackers wouldn’t be able to read the data safeguarded by E2EE. It’s because the ISP itself doesn’t have and stores the decryption keys to decipher it.
3. Eavesdropping. Because encrypted data is just gibberish without decryption keys, E2EE can protect against various interceptions and man-in-the-middle attacks. Adversaries simply wouldn’t be able to read the stolen data.

End-to-end encryption, like many other online privacy tools, has its disadvantages. Here are the most notable drawbacks of E2EE:

• Lost access to encrypted data. If a user loses a pair of encryption keys, for instance, by losing or breaking the device where they are stored, they also lose access to the encrypted data.
• Complex setup. E2EE can be a complicated tool to implement if users need to manage encryption keys or configure E2EE settings manually.
• Possible latency. Messages encrypted with E2EE can take longer to send than regular, unencrypted data because encryption and decryption take additional time.

E2EE is also not a cure for all online security threats. So what doesn’t end-to-end encryption protect against?

1. Endpoint vulnerabilities. End-to-end encryption protects only the data in transit. This means that once the message reaches the receiver, any threats infiltrating the receiver’s device, such as malware or hackers, can take hold of decrypted information.
2. Metadata exposure. E2EE encrypts only the data sent within the message and doesn’t disguise its metadata, including information about the sender and receiver (their IP addresses). Exposed metadata patterns may help hackers learn more about the users’ behavior and use it against them.
3. Phishing and social engineering. E2EE cannot save users who get tricked into handing over their sensitive information to hackers, including passwords, banking details, personal data, or even encryption key pairs. Once hackers have the decryption key in their hands, E2EE becomes useless.

Implementing E2EE is a complex procedure, but you can do it yourself if you have a good knowledge of IT and a deep understanding of cryptographic principles.

However, in many cases, E2EE is already integrated into the software of services that rely on virtual communication – just make sure the E2EE function is enabled.