Where and how many times does encryption take place when we browse the internet?



  • I'm taking a cryptography course and what I've gathered so far is: PGP takes place at the application layer TLS takes place at the transport layer IPsec takes place in the network layer WPA2 Encryption takes place in the physical layer

    I understand the protocols and such but don't really get how they are used in practice. Do any one of the above protocols take place? Are they all used at the same time?

    For example say I'm sending an email to a friend. Will it first be encrypted with PGP by the application, then by TLS at the transport layer, then by IPsec in the network layer, and then by WPA2 in the physical layer? Or is any single one of the above done? Consider I'm sending an email over an HTTPS connection through a VPN and am connected to a router using WPA2.

    If encryption and decryption is happening multiple times is it safe to remove all but one of the above? If not what is the purpose of using each of them together?



  • The answer is that they all protect against different kinds of eavesdropping, so they are not at all in use at the same time, and are not always relevant. For instance:

    1. WPA2 protects the physical link layer, but only in the case of WIFI communication. WPA2 is what stops someone else on your WIFI network from listening to the traffic between your computer and your router. Once your network traffic leaves the WIFI router and goes to the "internet", this is no longer relevant, and the traffic between your WIFI router and your ISP is likely unencrypted by default.
    2. TLS can be used in a variety of protocols, but the simple example is for HTTP when talking to a web server. In that case, TLS is used to encrypt the communication between your web browser and the web server (e.g. security.stackexchange.com) that you are communicating with. This means that if you were only communicating with services that used TLS, it wouldn't matter as much whether your WIFI network was protected with WPA2. Similarly, the fact that you are using TLS to communicate with web servers is important because, most likely, the physical layer from your router to the web server is otherwise unencrypted, so if you didn't use TLS then anyone in between your router and the web server would be able to read your requests and responses (like in the early days of the internet when HTTP was more commonplace). Lack of TLS and lack of WPA2 made it possible for someone in a coffee shop to take over the facebook accounts of everyone using facebook on the same network.
    3. PGP is not really used by default anywhere, but for your average user, is most likely to be used for email. Email is an especially tricky one because email servers don't always talk to eachother over encrypted channels, and since the communication is being handled between email servers rather than your computer and a destination computer directly, you have less control. PGP seeks to encrypt your emails before it leaves your computer in a way that can only be decrypted by the final recipient, so it would be an example of end-to-end encryption. As the name implies, the goal of this is to ensure that any communication can be decrypted only by the two communicating parties, regardless of whether or not the systems that are transmitting the data use encryption themselves. Theoretically, when using end-to-end encryption, encryption at all other layers becomes redundant.

    The trouble, as you might gather from the above descriptions, is that many encryption systems can only encrypt certain parts of the communication channel. As a result, even if it was possible to "remove all but one", it wouldn't be a good idea because sometimes your encryption "stops" at unexpected places.

    For example, theoretically, if I'm only browsing HTTPS websites then I don't need to worry about WIFI encryption. However, you might be surprised when someone still knows what domains you visit because your computer makes DNS requests in plain text. You probably won't care that the exact pages you visit are encrypted when everyone can still see that you are visiting https://some-obscure-and-private-sexual-fetish.example.com.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2