[Cryptography] What ever happened to end-to-end email encryption?
Kevin W. Wall
kevin.w.wall at gmail.com
Sun Aug 22 13:03:27 EDT 2021
On Sat, Aug 21, 2021 at 10:51 PM Phillip Hallam-Baker <phill at hallambaker.com>
wrote:
> I have given much thought to this question but as Karl Marx said, the
> point is to change it. Comments inline and at the end.
>
> On Fri, Aug 20, 2021 at 8:30 PM R Perlman <radiajpc at gmail.com> wrote:
>
[...snip...]
>
>> - Big companies do not want end-to-end encryption of email. They want
>> to have middleboxes be able to scan for phishing links and perhaps they are
>> legally required to keep records of all email sent to or from company email
>> addresses.
>>
>> Big companies do not want malware vectoring in. That is a slightly
> different concern. SMTP is worn out at this point. Middleboxes to scan spam
> are a kludge to deal with the fact that the protocol is default insecure.
> DKIM does not change that very much either.
>
> If you want to do end-to-end encryption, you have to deal with these
> issues and more. End to end means something very different in the
> enterprise context. If Alice sends an order to Bob by email and Bob falls
> under a bus, the corporation needs to read the email because the
> relationship is with them and not with Bob.
>
It's more than just malware coming *in*. They are also concerned about
sensitive data being exfiltrated via email as well. That's why there is
such a big push with DLP. Where I work now, the incident response team gets
an alert from the DLP solution when even a single SSN is emailed
externally. It was similar at my former employer as well.
-kevin
--
Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
| OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210822/7b6aa853/attachment.htm>
More information about the cryptography
mailing list