“Your messages and calls with this contact are end-to-end encrypted..” – sounds familiar, right? But what does this end-to-end encryption mean? Why is it good or bad? Why do apps like WhatsApp, Telegram & Signal talk about encrypted communication so much? Here’s everything you need to know about end-to-end encryption in 7 simple steps.
1. The concept of End-to-End Encryption
In layman’s terms, End-to-End Encryption or E2EE is a method by which any communication – text, voice, image data, etc. – is encrypted so that only the sender and the intended recipient of the communication can read it. This is deciphered in a process called decryption. No one else would be able to understand the message (as it would appear garbled to them).
The closest example of this could be how, during our school days in the ’90s, we used to write secret notes to a friend. We used to shuffle the alphabet using a formula that only that friend (recipient) knew how to decipher. Nobody else in the communication path to the friend could understand or make sense of the garbled text in these notes. But the end recipient knew the formula to make it readable again. This is the most basic form of end-to-end encryption technology.
2. How does E2EE work?
End-to-End Encryption works along similar lines as the secret note analogy explained above. Obviously, with a lot more sophistication involving science (& math) and cryptography to make it highly secure. The basic idea here is to ensure that only the intended parties (sender & recipient) can read the contents of the message exchanged. At the same time, no other intermediaries (or eavesdroppers) can make any sense of it even if they tap into the data being transmitted.
In the Internet world, a communication system usually involves at least 3 parties – the sender, the recipient, and a service provider(s) like WhatsApp, Telegram, etc. It can also have intermediaries like your ISP, mobile operator, and even the WiFi network in your office or home. Each of these intermediaries can easily tap into and read your communication when it transmits through their systems – unless your communication is encrypted.
There are many different and indigenous methods of implementing E2EE. Still, the most common and publicly known mechanisms work by using a secret key or a set of keys (called public and private keys). They are used to encrypt and decrypt messages transmitted between two users in such a way that no other user can decipher the information.
3. The early days of E2EE
In the initial days of end-to-end encryption, the idea was limited to encrypting the messages during transit between the users. This was to ensure eavesdroppers couldn’t read the information contained in them. However, this was considered just enough to provide a secure way to communicate between two entities.
Therefore, the encryption was achieved by using a single secret key (called a symmetric key) usually generated by the service provider. This was then shared with both users while initiating a connection. The sender would use this key to encrypt the data before transmitting it to the recipient. The recipient would then use the same key to decrypt the data. Such systems were prevalent in the early days of GSM (Cellular network) and some radio communication networks.
4. Modern version of E2EE
Now, the single key provider model (also known as Symmetric Key Cryptography) worked for specific applications. However, there was a growing concern that it provided only basic security from unauthorized eavesdroppers. In addition, the fact remained that the service provider itself or the many intermediary systems in between had access to the key. This could potentially compromise the security of communication.
To overcome this, the new generation of end-to-end encryption methods started. It implemented a model where the users generated the keys themselves and exchanged them between each other rather than a common third-party provider. This ensures that even the service provider who governs the communication channel cannot read the communication between two users.
One of the early implementations of this model in the messaging domain was by WhatsApp in 2016. It encrypted a part of its network using the open-source “Signal Protocol”. This was developed by Open Whisper Systems (the developers of the Signal app, an alternative to WhatsApp).
5. How WhatsApp’s End-to-End Encryption Works
WhatsApp’s E2EE implementation is comparatively safer than the earlier single Key Cryptography method. In this system, every user (via the App installed on the phone) generates a pair of keys – Public key and Private key during installation. While the Public key is shared with other users for communication, the Private key is securely stored on the user’s device and never shared on any network.
When two users initiate communication on WhatsApp (say user A and user B), they exchange their public keys beforehand (known as Key exchange). If A wants to send a message to B, then A (the sender) encrypts the message with the Public key of B (recipient). When B receives the encrypted message from A, B uses its corresponding Private key to decrypt the message and vice-versa.
In such a system, even if a user C accidentally or deliberately gets access to the messages exchanged between A & B, it cannot decipher it even if it has stolen their Public keys during key exchange. Going a step further, even the service provider (WhatsApp servers in this case) cannot read the contents of the messages.
6. Is it safe to use WhatsApp, Telegram, Signal, etc.?
Apps like WhatsApp, Telegram, and Signal (that claim to provide end-to-end encryption) are relatively safe to use to share your daily messages, tiny secrets, and moderately sensitive data. This could include personally identifiable information with trusted contacts (don’t broadcast them in groups, though!).
However, it isn’t a good idea to use these 3rd party apps to share critical or authentication-related information. Login credentials of high-security systems, banking passwords, credit/debit card PINs, etc. shouldn’t be shared on these apps.
Remember that the Apps’ claim of their servers not being able to read your messages might be super comforting. However, they still store your messages, and it’s a matter of time before some intelligent hacker discovers a vulnerability and compromises these systems.
6B. Hacking Instances
There have been worrying hacking incidents in recent times on systems that we were assured of being 100% secure, like Apple, Samsung, Facebook, and even some international banks. Here, millions of customer data and credit card information of users was compromised.
No system in the world can claim to be absolutely unbreakable. A fast-growing community of intelligent hackers and automated tools constantly keep security experts on their toes.
In the case of E2EE too, there are concepts like ‘Man-in-the-Middle’ attack. Here, a hacker might compromise the secure transmission between two users. How? By impersonating a recipient, reading the messages, and then relaying them to the actual recipient to avoid detection (more on this in another article!).
So, yes, it is safe to use WhatsApp and similar apps, but with caution. Also, beware of some fake apps in the app store or play store pretending to be popular messaging apps.
7. Regulatory bodies vs. End-to-End Encryption
The ongoing tussle between secure messaging apps and governments in some countries gives rise to the following questions.
- If end-to-end-encryption is so great at protecting privacy and secure communication, why are apps like WhatsApp facing issues with regulatory bodies?
- Actually, the regulators are not against encrypted communication itself but the way it is being used (or misused). Anti-social elements, terrorists, scammers, or even fake news and propagandist radical groups use these channels to disrupt peace or to incite violence and more.
- In most countries, the Governments are asking messaging service providers to make available a safety mechanism.
- This will identify the first originator of a message so that in cases of socially disturbing viral content or in more severe cases – content that have caused damage to life and property – it becomes possible for law enforcement agencies to track down the culprits and book them for violations.
- It’s a noble idea, but also a nightmare for the service providers. In order to identify the originator of a message the provider will have to store and keep track of who sent what message.
- More importantly to be able to search for an offending message, they will have to decrypt the message on their servers (to find a match). And this breaks the very concept of end-to-end encryption if the service provider is able to read users’ messages.
- It will be interesting to watch how security experts will find a solution to this stalemate between regulators and service providers in such a way that on one hand privacy is ensured and on the other, illegal activities are traceable.
On the sidelines, if you are looking for a safe, secured and robust web hosting provider with a free SSL certificate and awesome support, do check out Hostinger.com
7. How does end-to-end encryption work for websites (HTTPS)?
So, E2EE works a little bit differently for HTTPS or Hypertext Transport Protocol over SSL (Secured Socket Layer). While that might sound very cryptic, it’s actually fairly straightforward. The way HTTPS works is slightly different from the WhatsApp style E2EE we’ve been talking about.
In this case, your web browser and the web server also use encryption to communicate securely but with a little twist. Here, they use a combination of both – Asymmetric Key and Symmetric Key Cryptography to ensure that your information is safe from hackers and eavesdroppers when it travels through public networks. You can read more about this in the article Safe Web: How HTTPS Works to Make Websites Safer