When shopping or paying a bill online, you’re likely using encryption. Encryption turns the data you transmit into indecipherable text that can be read only by the right key. Secure electronic communication should be for information that you want to be received and understood by only your intended recipient(s). Secure electronic communications cover email, chat/text messaging on phone and computers, phone calls, and accessing of websites or other Internet-connected devices. The primary concerns for interception of your communications are at transmission, with stored communications on a central server, and with stored communications on sender and recipient devices. If the communication is in clear text, there is an opportunity for the communication to be intercepted.
At its most basic, email uses simple mail transfer protocol (SMTP). SMTP is used by Web mail services like Gmail, Yahoo!, and Outlook.com. In most cases, email is sent in clear text (i.e., information is sent as-is, rendering it readable without a key of some sort), stored on a server, then sent when the recipient is next available. For many Web mail clients, some security features are available, but none are guaranteed to be secure because there is nothing forcing the recipient to abide by the request to send or receive the information securely.
When using a Web browser to connect to a website with the prefix HTTP, you are connecting with the possibility that someone can access the information you send to or receive from the website (i.e., your communication with the website is in the clear [clear text]). When the website is HTTPS, the primary portion of the Web page is secure (although cookies, pictures, and ad space on the website may not be secure).
Short message service (SMS) text messaging is usually protected only by the communication network protocol itself (e.g., GSM providers like AT&T and T-Mobile, CDMA providers like Sprint and Verizon). (GSM and CDMA networks have been cracked over the past few years using technology-spoofed cell stations like law enforcement uses routinely in the United States for various purposes, usually not for eavesdropping, but they are technically capable of doing so.) The network protocol is designed to encrypt communications to avoid easy eavesdropping using radio scanners. Much like email, SMS text messages are stored by the provider and forwarded when the recipient is next available.
Cell phone calls are also protected only by the communication network protocol. Cell phone conversations are not usually stored by the network provider (in the United States, as far as we know; this varies widely from country to country).
The past year has seen a surge in use of secure chat programs. However, many popular online messaging services tend to lack security controls when using default settings. Like some of the electronic communication methods above, most Internet messaging programs store messages before sending. Internet messaging programs usually transmit the data via HTTPS.
End-to-end encryption means you and your recipient have agreed on a way to encrypt or decrypt your message before sending and after receiving communications.
One method for this kind of communication is PGP/OpenPGP. PGP means “pretty good privacy,” and OpenPGP is the open-source implementation. This method requires you and the recipient to exchange security keys ahead of time to ensure the identity of the sender and receiver. It can be used for sending any electronic communication because you are securing it without the need to trust your Web mail’s security upon your access and upon it sending. Since your email is not inherently secure at rest, you should NOT store sensitive information like passwords in it.
Internet messaging programs that offer end-to-end encryption include Whatsapp and Signal in the United States and Telegram overseas. A few other Internet messaging programs offer end-to-end encryption but tend to have a smaller user base. Most of these2 are implemented using a form of public key encryption like PGP. These services tend to be tied to one device to because the key creation is tied to the device itself.
Secure calling can be accomplished using the same technology as the messaging apps above and are often a feature of the app. Notably, Signal offers free, easy, secure calling.
Internal email (e.g., Gmail to Gmail or yourdomain to yourdomain) communication is considered “secure” because it’s only ever sent within its private network (or from server to server within). Many providers’ and corporate environments’ email servers will first attempt to connect to other email servers on the Internet using a secure protocol like SSL. However, the recipient or relay server must accept these types of connections. If it can’t connect using SSL, the email server will often use clear text protocol, which means your data is no longer secure. When communicating with your bank, look for a secure messaging login on their website.
What can you do?
Do NOT store sensitive data like passwords in your email.
Do NOT send sensitive information via email unless it is either secure sending or secure at rest.
Use clear text email only for communications that you are okay with having a man in the middle of the communication transmission reading your message while it gets sent to your intended recipient.
Make sure you are using HTTPS when accessing your Web mail (or any other sensitive information on the Internet; simply don’t use the site in sensitive data access cases if the site doesn’t have HTTPS).
Store passwords securely. Sixteen-character passwords ARE possible to remember. We suggest using passphrases AND a password manager like KeePass.
Use Signal for Android/Signal for iOS for secure chat and phone calls.
Protect your email account! It is likely the most important Internet username and password you have. All of your other accounts on all of the other sites likely are using your email address for alerts and password resets. If your email account is compromised, not only do attackers have a history of your communication, but they can access your other online accounts! Make your password long and strong, and use two-factor authentication—it’s worth it!
Learn more about PGP for Windows, for Mac, and at emailselfdefense.fsf.org.