Ask HN: Why Are We Ignoring the Urgent Need for End-to-End Encrypted Emails?

[kbns]

We're all obsessed with making sure our chat apps like WhatsApp and Signal have end-to-end encryption (E2E), but we completely ignore emails. Emails can reveal a person's entire life story, far more than any chat app ever could.

Right now, if you want your emails to be E2E encrypted, you have to jump through hoops with third-party tools. It's clear that email giants like Google, Microsoft, and Yahoo are raking in profits and don't want to disrupt their spyware operations by adding E2E. It's infuriating! I demand to see E2E encryption as a standard for emails within my lifetime.

[msh]

There is a good technical essay (by experts) on why it's not possible in practice.

https://www.latacora.com/blog/2020/02/19/stop-using-encrypte...

[AnimalMuppet]

Because it's not urgent. To almost everyone, it's not urgent. No matter how urgent you think it is, almost nobody else cares.

There's no actual demand. That's why.

[LinuxBender]

you have to jump through hoops with third-party tools

I personally find it very easy to send PGP encrypted emails with Thunderbird. [1] Thunderbird makes encrypting email platform agnostic. I can switch vendors without losing my ability to maintain E2EE with friends and business partners. I have been able to get non technical friends and lawyers to use Thunderbird and PGP as they just follow the picture instructions.

This is just my own silly opinion but I would never personally rely on a platform to manage "E2EE" for me. If I do not generate and control the keys then I can not seriously call it E2EE. As such I do not consider WhatsApp and Signal to be end to end encrypted. That's just my personal opinion but perhaps I am just a bit touched in the head.

[1] - https://www.linuxbabe.com/security/encrypt-emails-gpg-thunde...

[malfist]

Even then, your content is encrypted, but not any of the metadata.

[LinuxBender]

If I need to protect metadata then I just have people SFTP encrypted files to me and keep everything off of all the shared platforms all together. For me personally that's a one-off as I rarely have such a need.

[486sx33]

It’s really because Microsoft and Google control such a huge percentage of email now

No one has their own email server anymore because your mail won’t get through to those platforms and you can’t touch the uptime… it’s a different sort of monopoly… a free-opoly?

[reify]

I dont send emails to anyone who has a gmail, googlemail. yahoo mail or microsoft or any of the other careless email providers.

It really is as simple as telling people that I do not reply to emails unless they respect my privacy and use an encrypted privacy oriented email provider.

I use the Protonmail SimpleLogin addon account to send them an annonymous email stating my terms for email correspondence.

It does work. then those same people move permanently to those email providers and start respecting my privacy and their own privacy.

One person at a time.

Its about time we imposed our own values regarding confidentiality and privacy.

you cannot wait for the brainwashed to move away from a life of giving up their privacy

[manuelmoreale]

How do you behave when someone has an email hosted on a custom domain name? Do you perform some checks to figure out if the service they’re using is up to your standard? And what if I didn’t trust your ProtonMail address? Would you be willing to switch to something else?

[486sx33]

Most people I know with custom domains for email use gsuite anyway.

I went the Apple route but it’s very restrictive (easy though).

[bdjsiqoocwk]

What do you do when you buy a ticket and the only way of receiving the ticket is by email? It won't be encrypted on their side. Do you just never travel?

What do you do when someone just sends you an email anyway? You have no option to prevent them from sending it.

[al_borland]

It's difficult, because no one company can do it on their own. Proton has encrypted email, but if you send an email to someone's Gmail account, or someone's email box at their personal domain, it's sitting on that server unencrypted at the end of the day.

Gmail owns a huge percentage of the market, which would go a long way, but like you alluded to, they aren't going to give up the email scanning they can do. Without that, I'm not sure Gmail is still worth it for them to run. They'd probably shut it down.

[landosaari]

Could someone explain what happened via telephony?

Telegraph->Operator->Rotary->Touch-tone->Cellphone.

It would seem everyone of these would be a next step in technology and protocols.

Sending a text message via rotary phone is probably not possible. However, calling a rotary phone via smartphone should work.

Is there a reason why newer protocols could not be implemented/enforced?

Whereby email from proton to tuta (and similar new email services) it acts differently than when sent to the older version of email (current method).

[ghoshbishakh]

You have already answered your question. Unless Google and Microsoft agree to implement a common E2E encryption standard for Gmail and Outlook, there is no hope.

The other hope is if some EU law does it for us :) . I am not aware if there are any discussions going in this direction.

[bdjsiqoocwk]

I believe it's because a while ago Mootie or whatever his name is wrote an influential article basically saying it's impossible (you should use his app instead). I guess people just accepted it.

[nullindividual]

The mail server has to read the body of the mail message, which throws out any E2E use. SMTP is from the 1980s. There are countless SMTP servers on the Internet. You want spam filtering? Server-side rules? Can't have E2E.

That, and more, is why E2E isn't available for SMTP-based email. Many modern SMTP servers support opportunistic-TLS, potentially securing email traffic between two SMTP servers. Or forced TLS when you know the target supports TLS connections.

This isn't some "money making" or "spyware" conspiracy. It is a product of history, decentralization, and momentum.

Comparing that to modern chat apps which can be built from the ground up and their messaging protocol doesn't rely on a 40 year old standard is disingenuous at worst, ignorant at best.

[kbns]

While I understand the challenges with SMTP-based email, dismissing privacy concerns as ignorance is unhelpful. It's not at all a technical difficulty—Modern threats demand updated solutions, and opportunistic-TLS isn't enough. Financial incentives and data monetization do play a role in the reluctance of major providers. If new protocols can secure chat apps, similar efforts should be made for email.

Users deserve better privacy protections despite historical constraints.

[nullindividual]

> It's not at all a technical difficult

Tell us how you'd implement it and be backwards compatible with existing SMTP servers.

> Financial incentives and data monetization do play a role in the reluctance of major providers.

Do you have evidence that they're preventing E2E SMTP from becoming an RFC?

[mike_hearn]

You technically can have spam filtering with e2e encryption by using confidential computing. It's just really hard and there isn't much market demand.