The German initiative “E-mail made in Germany” promises encrypted e-mail communication for everyone. Yet when users are not aware of it there is a risk of their communication not being completely secured.

Some of the largest German e-mail providers – GMX, web.de, T-Online, 1&1, Strato and Freenet – want to make encrypted e-mails available for everyone. For this they’ve joined forces and started the program “E-Mail made in Germany”. Since 2014 it’s supposed to provide a secure connection between the participating providers and enable their users to securely send e-mails.

While this is a welcome approach there are yet shortcomings in the field that have to be overcome and that question the initiative’s actual level of security.

A limitation that has been known for quite a while about “E-mail made in Germany” is that it only offers transport-encryption. With transport-encryption e-mails are secured during traffic between client and server as well as server to server. However they are not encrypted while they are (temporarily) stored on the providers’ servers. Which makes it accessible and a risk at that point. The alternative way would be the so called end-to-end-encryption where the e-mail’s content is completely encrypted all the way from the sender to the recipient. While some providers offer this standard, usually it is only optional and not widely implemented.

Currently security experts report yet another risk which lies within the fact that user data are only secured to a limited level when logging in via the standard login page of one of the providers. In this case this means that users are entering via a standard unencrypted http-site instead of a secured https one.
When logging in through a unsecured http-site the user put their data in jeopardy of being sent to the server unencrypted and therefore of being intercepted.

While there are alternative login-pages for the various providers that are actually secured, these sites are not the standard starting page and hard to find for the common user. Furthermore it is questionable whether a security technology is fully practicable when the user has to grapple with the technology behind it in order to be fully protected. Security software should be as easy and seamlessly to use as possible in order to gain acceptance.