(TLS) Transport Layer Security & (PGP) Pretty Good Privacy
Why is encryption in transit important?
Encryption in transit helps protect your emails from being snooped on while they travel between you and your intended recipients. Unfortunately, billions of unencrypted emails are sent and received every day “in the clear,” presenting a prime target for eavesdropping and mass interception as they cross dozens of optical fibers and routers.
How does encryption in transit relate to HTTPS access to Gmail?
Since 2010, HTTPS has been the default when you’re signed into Gmail. This means that while your email travels between Google’s data centers and the computer you use to read your email, it’s encrypted and secure. This report is about something different: whether or not your email is protected by TLSwhen it travels outside Google’s data centers to the external mail server of the person you’re emailing.
We’ve turned on HTTPS for Gmail on our own, but when email is sent between different mail providers, both providers need to support TLS in order for the email to be encrypted in transit.
Why isn’t all email sent to or from Gmail encrypted in transit?
For decades, the default has been for email to travel across the Internet unencrypted—as if it was written on a postcard. Gmail is capable of encrypting the email it sends and receives, but only when the other email provider supports TLS encryption.
In other words, encrypting 100% of all email on the Internet requires the cooperation of all online mail providers.
What does “From X via Y” mean?
“From: gmail.com via google.com” means all messages with an envelope sender ending in @gmail.com or a subdomain, @su107.org, @aos90.org,@masd30.org, from a host in the domain google.com or a subdomain. When the "via" domain is the same, it is elided.
An ellipsis, as in “google.{...}”, means that several domains, such as google.com and google.co.uk, have been counted together. We try to do this only when we believe that like-named hosts process mail in the same way, which is not always.
How does encryption in transit relate to other forms of email encryption, like PGP?
PGP encrypts the content of your email in such a way that, if you do everything perfectly, nobody but you and the intended recipient will ever be able to see it. When a Gmail user receives a PGP-encrypted email, for example, Gmail is unable to index the content of the email for later searching, because Gmail cannot see the content. This tradeoff of convenience for additional security is especially appropriate for people who are at risk, and adds an additional layer of security not provided by encryption in transit.
But encryption in transit adds a significant privacy benefit to PGP. PGP encrypts only the content of your email, but not its headers (e.g. who is sending and receiving the email). An eavesdropper who “overhears” the delivery of a PGP-encrypted email will be able to see what address the message was delivered to, but not the content of the message. But when a PGP-encrypted message is also encrypted by TLS while in transit, the sender and receiver of the message will not be visible to an eavesdropper.