End-to-end encryption (E2EE) is the process of encrypting data between devices so that only the sender and the receiver can view the contents of the message. This cybersecurity method encrypts messages before they’re sent and then decrypts them after they are successfully delivered. As a result, E2EE secures messages — and the data contained within them — that might have been vulnerable in the past and allows only the two communicating parties to access and read the message.
What does E2EE protect the user from, and why is it important?
If you imagine the flow of a message from one person to the next as a conversation, E2EE essentially protects these communications from eavesdroppers, or worse, bad actors intentionally looking to access private data in these messages. It also prevents cybercriminals from getting their hands on the cryptographic keys required to decode the encrypted data.
One significant benefit of E2EE is that it’s extremely effective in protecting against man-in-the-middle (MITM) attacks. This a specific type of cyberattack where the perpetrator inserts himself in between two parties but secretly accesses, relays, and even alters their communications. They may think they are in direct contact with each other but could fall victim to the man in the middle’s infiltration.
What doesn’t E2EE protect us from?
Despite its widespread use and many strengths, E2EE doesn’t always represent an end-all and be-all security approach. The following are a few different examples where it may not prevent a compromise.
- Keystroke loggers: Let’s face it: If the bad guys have a key-logging application installed on your system, they may be able to log reverse-engineer passwords and cryptographic keys in plain text and, ultimately, gain access to confidential data in the transmission.
- Metadata: It’s important to note that E2EE does a great job safeguarding all of the information, but it does not conceal the metadata associated with a message. This is typically information such the names of the parties and the time and date the message was sent. If this information alone is especially appealing, cybercriminals may become even more determined to attack either of the two parties or their companies.
- Decoded, stored data: It may be obvious, but it’s still worth saying. Once information is decrypted and ultimately stored, it becomes the same as any other data — susceptible to the same threat vectors, vulnerabilities and attacks. (More evidence that most companies need the combination of the right policies and cybersecurity solutions to maximize their protection.)
- Compromised endpoints: If either party’s endpoints become compromised, a bad actor may be able to see a message before it can be encrypted or after it is decrypted. Unfortunately, this is how many MITM attacks happen — attackers gain access to the keys before the parties realize it and use them to their full advantage.
How does E2EE differ from encryption in transit?
In some cases, messaging providers may claim to offer full E2EE, but what they really offer is closer to encryption in transit. This is another technique that only encrypts data as it goes from one device to an intermediary server somewhere in between the end destination. The data is decrypted and re-encrypted at each stage in the process, but it increases vulnerability and could potentially allow unauthorized individuals from intercepting the messages and taking control of their data.
Encryption in transit is the most popular type of data encryption in use today. Only a small percentage of companies have adopted the more secure E2EE method. Yet the tide is beginning to turn: Many messaging providers are now adopting E2EE to provide better service and differentiate their offerings.
What are the benefits of E2EE?
- Ensures data is secure: With E2EE, the recipient is the only user with access to the private key to decrypt the data. Data on the server can’t be read by attackers because they do not have the private keys to decrypt the information.
- Protects privacy: Providers like Google and Microsoft can read your data. When you use their service, data is decrypted on their servers. If data is decrypted on their servers, then malicious actors and unwanted third parties can read it, too.
- Protects admins: Since admins don’t hold the decryption keys to decrypt the data, any attack that targets administrators will come up short.
What are the differences between symmetric and asymmetric encryption?
Symmetric encryption uses the same key to encrypt and decrypt data. Both parties have identical copies of the key, to be kept secret and not shared with anyone else.
Asymmetric encryption, on the other hand, uses two keys — a public key (that anyone can access) to encrypt information and a private key to decrypt information.
While symmetric encryption algorithms are extremely secure — and could take billions of years to break with brute-force attacks — its use of a single, secret cryptographic key to encrypt and decrypt information is its biggest vulnerability. if this secret key is stored in an insecure location on a computer, then attackers could gain access to it using software-based attacks, enabling them to decrypt the encrypted data and thereby defeating the entire purpose of symmetric encryption.
Common messaging applications that use E2EE
Today there are several messaging applications that rely on E2EE, such as Microsoft Teams, WhatsApp, Slack, Facebook Messenger, Zoom, and MatterMost.
Interested in learning more? Visit the Acronis Article Library for complete information on a wide variety of cybersecurity topics and how you can improve your overall security posture — for your company or your clients.
Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 2,000 employees in 45 locations. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by 18,000 service providers to protect over 750,000 businesses.