Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can Someone See Encrypted Email?

Keeping your message safe from prying eyes.

Encrypted Email
Encrypted Email (Image: canva.com)
Encrypted email cannot be sniffed, but chances are you aren't using encrypted email. I'll explain what I mean and what you might want to do.
Question: Can sniffers be used with encrypted email like Gmail? Aren’t https connections secure even for public/wireless connections? Someone told me Gmail was hacked by China. Can they do this?

There’s a misconception here I want to clear up: Gmail is not encrypted mail.

In fact, encrypted mail is rare, and often cumbersome to use.

I want to cover what encrypted mail means and how it relates to https.

And then I’ll talk about getting hacked.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Can someone see encrypted email?

True encrypted email encrypts the message between sender and receiver. Web connections using https do not represent encrypted email, as it’s encryption only between your web browser and the service you’re using. Encrypted email can be difficult to set up, but services like ProtonMail can make it easier. In any case, malicious software at either end of the conversation can always view messages before encryption or after decryption.

Encrypted email

“Encrypted email” implies the message you are sending is itself encrypted before it leaves your machine.

The great news about using this kind of encryption is that it doesn’t matter if the email message is being transmitted in the clear or not, or if someone accesses it at any point in transit.  The message is and remains encrypted until the recipient decrypts it.

The problem is that there is no pervasive standard for encrypted email.

Encrypting email messages today requires a little bit of savvy on both the sender and the recipient’s part, and typically requires specific email providers be used or additional software or encryption certificates be installed. On top of that, common encryption technologies are not necessarily compatible with each other.

In other words, email encryption remains a bit of a mess. For those sufficiently motivated, though, it is indeed possible.

For existing email accounts, I recommend the Enigmail extension to Thunderbird, which relies on PGP/GPG public-key encryption. It does take a bit of work to set up and coordinate with your intended recipients.

If you’re willing to set up a new account, I recommend ProtonMail. Email between ProtonMail users is encrypted by default. Email to recipients outside of ProtonMail is delivered as a notification that includes a website link allowing the recipient to view the message securely.

None of that relates to https, by the way.

Encrypted connections

Https encrypts your data while it is being transmitted between your computer and the remote server.

That means when you use a service like Gmail, a message is actually stored unencrypted on your machine and Google’s mail servers. Https encrypts the message, and anything else, only while that message is in transit between your computer and Google’s.

The good news is, https is a ubiquitous standard. It doesn’t suffer from the confusion around email encryption. All web browsers support it; it’s simply up to the service whether or not to make an https connection available. These days, almost all do.

Additional good news is that https protects you from the most common form of data sniffing: the wireless connection between your computer and your internet connection. As I’ve written about before, anyone with a laptop and the appropriate free software can listen in to unencrypted conversations at an open Wi-Fi hotspot. If your email messages themselves are not encrypted (and most are not), then https protects you.

A downside — sort of — is that https only protects the connection between your computer and the server. The message is stored in unencrypted form, transmitted between mail servers in potentially unencrypted form, stored on your recipient’s computer in unencrypted form, and may even have been downloaded to your recipient’s computer in unencrypted form, if they were not using https or an equivalent.

Could someone else see encrypted email?

Could an encrypted email message have been seen? Yes.

Not to be too pedantic, but it has to be able to be seen by your recipient.

Could an encrypted email message have been seen by someone who isn’t supposed to see it? Yes again.

The most obvious possibility is that malware on your recipient’s computer can easily grab, copy, and “see” the email after it’s been decrypted and as it’s being displayed. The same is true for your machine before you hit Send — malware can easily see whatever you’re sending.

In either case, it might not even be “malware” per se, even though you might consider it so. Employers, for example, sometimes install spyware on the computers they own and you use in order to track your activity while at work. This spyware could easily see what you’re up to before a message is encrypted or after it’s decrypted.

Hacking Google

I do have to address the comment about Google being hacked.

Google was not hacked.

My recollection is that there was an attempt to infiltrate Google’s network using malware delivered as email attachments. But at no time were Google’s servers compromised.

Is it possible? Absolutely.

Is it likely? Not very. Seriously, I consider this possibility so extremely, extremely small as to be virtually impossible.

I definitely hear from people who are absolutely convinced that their email provider’s servers have been hacked, but in absolutely every case I’ve encountered, deeper inspection turns up some significantly more mundane explanation for whatever problem they’re seeing.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

8 comments on “Can Someone See Encrypted Email?”

  1. I think this dovetails neatly into the other recent article about LockNote.
    Store your ‘e-mail’ in there, tell your recipient what the password is by some other method (SMS seems ideal for this) and take steps to make sure the program actually gets received their end.

    Reply
  2. Personally, I regard e-mail as I do a postcard – that “anybody” can read it. That “anybody” usually means the postman – or any sorting-office staff en-route – i.e. people whom you trust, to a certain extent..

    Reply
  3. Your answer is good, but it missed one of the points of the question. They asked if gmail can be sniffed.The specific answer is YES. Sniffing is done to communication in transit.

    However, even though someone can sniff your gmail, since it is HTTPS encrypted, the gmail traffic between your computer and the gmail server is reasonably secure.

    Unless of course they set up a Man-in-the-middle attack and intercepted your communication before the HTTPS encryption was in place.
    SSL Hijacking – http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-Attacks-ARP-Part4.html

    Reply
  4. I understand that it would be a major undertaking, but I don’t understand why a consortium can’t be formed to develop a protocol that all email programs and web interfaces can implement to have all emails encrypted like they did with https:. It’s more complicated, but entirely feasible and necessary. I’ve tried Enigmail but it only worked with one person who was savvy enough to implement it.

    Reply
    • About ” I don’t understand why”. Email encryption methods already exist, but are not necessarily used. See TSL and S/MIME. The latter needs public and private keys. If a consortium were to set up a system to encrypt all emails then it would face the typical challenges of acceptance, compatibility, hacking, updates, legal jurisdiction, usage hassles, etc. If this system showed promise to work any better than existing methods then governments would squash it dead real fast. If you think https is safely encrypted, then why worry about a separate email encryption since most emails are embedded in https anyway. Besides, just like https, any such email encryption would be in-transit encryption, not necessarily encrypted storage on servers or your own device. Of course, if emails where encrypted in transit, then every device would have to have the means of decrypting it, defeating the whole scheme if the decryption were to be user friendly, automatic and not require the user to keep passwords or keys.

      Reply
  5. You wrote:

    “Can Someone See Encrypted Email?”

    Why yes, of course. But since it’s encrypted, then by very definition the only thing which that “someone” will actually see is incomprehensible gibberish. Heck, that’s what encryption is for! :)

    Just be sure to use a strong algorithm such as AES, Twofish, Gost, and at least two or three (plus many, many) etceteras.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.