How Does Encryption Keep You Safe Online?

What encryption is doing for you

How HTTPS secures a website connection

End to end encryption in messaging apps

note

End-to-end encryption

End-to-end encryption, or E2EE, means only the sender and intended recipient can read the message content.

Key properties

• Messages are encrypted on the sender’s device
• Messages are decrypted on the recipient’s device
• The service provider cannot read message content

Real systems

• Signal uses the Signal Protocol, including X3DH and Double Ratchet
• WhatsApp uses the Signal Protocol for personal chats and calls

Security benefits

• Forward secrecy protects old messages if a key is later exposed
• Post-compromise security helps recover after a device is briefly compromised

Tradeoff

Metadata can still exist: who contacted whom, when, and how often

diagram

illustration

note

Why this is stronger than normal HTTPS

HTTPS protects data between your device and a website. E2EE protects the content all the way to the other person’s device.

A useful analogy: HTTPS is like a secure tube between you and a bank branch. End-to-end encryption is like sealing a letter so only the person you wrote to can open it, even if many postal workers handle the envelope.

Why encryption works and where it can fail

Quantum computing and the future of encryption

Transcript

Welcome to Slate. Today we're looking at How Does Encryption Keep You Safe Online?. We'll cover Symmetric vs. asymmetric encryption explained simply, How HTTPS protects your browsing, End-to-end encryption in WhatsApp and Signal, and Why quantum computing threatens current encryption. Let's get into it.

When you send a password, a message, or a card number, encryption turns readable data into scrambled data called ciphertext. Only someone with the right key can turn it back. Think of it like putting a letter into a locked box before it leaves your hands. The box can travel through many places. The key travels only to the person who should open it. That simple idea protects almost everything online. There are two main kinds of encryption. Symmetric encryption uses one shared key for both locking and unlocking. It is fast. That is why it protects large amounts of data, like a video stream or a file on disk. Asymmetric encryption uses a key pair: a public key and a private key. The public key can be shared with anyone. The private key stays secret. This solves a hard problem: how do two strangers agree on a secret over an insecure network? The math underneath is not magic. It is built from problems that are easy to do one way and hard to reverse. For example, multiplying two large prime numbers is easy. Factoring the result back into those primes is hard. Modern systems mix both kinds of encryption. They use asymmetric cryptography to agree on a shared symmetric key, then use the faster symmetric method to protect the real traffic.

Here is what happens when you open a secure website. Your browser first checks the site’s certificate. That certificate says, in effect, this public key belongs to this domain. A trusted certificate authority signs that statement. Then the browser and the server run a handshake. They agree on encryption settings and create a fresh session key. After that, the page data moves through an encrypted tunnel. HTTPS means HTTP over Transport Layer Security, or T-L-S. The old name was Secure Sockets Layer, or S-S-L, but modern sites use TLS. The important part is that TLS gives you three protections at once. It hides the content from eavesdroppers. It makes tampering obvious. And it helps you know you reached the right site, not an impostor. Notice the pattern in the diagram. The certificate does not encrypt your whole session by itself. It helps establish trust at the start. The heavy lifting is done by symmetric encryption after the handshake. That design matters because public-key math is slower. In practice, a modern browser can set up a TLS session in a fraction of a second, even though the security model is doing a lot of work behind the scenes.

End-to-end encryption means the message is encrypted on your device and decrypted only on the recipient’s device. Not on the app company’s servers. Not by the Wi-Fi network. Not by the mobile carrier. That is why it is stronger than ordinary transport encryption. Signal is the clearest example. It uses the Signal Protocol, which combines the X3DH key agreement system with the Double Ratchet algorithm. The result is forward secrecy and post-compromise security. Forward secrecy means that if one key is stolen later, old messages stay protected. Post-compromise security means the system can recover after a temporary break-in. WhatsApp also uses the Signal Protocol for personal chats and calls. Group chats are encrypted too, though the exact management of group keys is more complex. The idea is the same: the service operator should not be able to read the content. This is also why metadata matters. Encryption can hide what you say, but not always who you talked to, when, or how often. That is the tradeoff. Think of end-to-end encryption as sealed envelopes. The postal service cannot read the letter, but it can still see the sender and recipient addresses on the outside.

Encryption is only as strong as its weakest link. The math may be solid, but people, devices, and software can fail. If an attacker steals your unlocked phone, encryption cannot save a message already displayed on the screen. If malware reads your keystrokes before they are encrypted, the ciphertext is useless because the secret was taken earlier. That is why key management matters so much. A strong algorithm with a weak password is still weak. For example, AES-256 is widely trusted, but if the key comes from a guessable password, the password can be attacked directly. Good systems use random keys and slow password hashing where human passwords are unavoidable. Digital signatures are another part of the story. They do not hide data. They prove who created it and whether it changed. That is how browsers trust certificates and how software updates can be verified. The diagram shows a simple rule: protect the key, and the message stays protected. Lose the key, and the lock is no longer useful. That is why security teams obsess over hardware security modules, secure enclaves, and careful rotation of secrets.

Quantum computers threaten some current public-key systems because they can run Shor’s algorithm. Peter Shor described it in 1994. On a sufficiently large, fault-tolerant quantum computer, Shor’s algorithm could factor large integers and compute discrete logarithms much faster than known classical methods. That would break RSA, Diffie-Hellman, and elliptic-curve cryptography. That does not mean all encryption falls. Symmetric encryption is in much better shape. Grover’s algorithm gives a square-root speedup against brute force, so doubling key sizes largely restores the margin. That is why AES-256 is viewed as a stronger long-term choice than AES-128 for some uses. The real concern is data that must stay secret for many years. An attacker can store encrypted traffic today and decrypt it later if quantum computers become practical. This is called harvest now, decrypt later. The response is post-quantum cryptography, or P-Q-C. In 2024, NIST finalized its first post-quantum standards: ML-KEM, based on CRYSTALS-Kyber, for key establishment; and ML-DSA, based on CRYSTALS-Dilithium, for digital signatures. The transition will take years, because software, certificates, and hardware all need updates.