[Cryptography] What ever happened to end-to-end email encryption?

[Peter Gutmann]

Kevin W. Wall <kevin.w.wall at gmail.com> writes:

>It's more than just malware coming in. They are also concerned about
>sensitive data being exfiltrated via email as well. That's why there is such
>a big push with DLP. Where I work now, the incident response team gets an
>alert from the DLP solution when even a single SSN is emailed externally. It
>was similar at my former employer as well.

Any regulated industry (banking, insurance, medical, etc) sees this as a
bigger threat than anything else on the radar.  And it's not just data going
out, it's data coming in as well.  Some years ago a bank employee switched
jobs from $bank1 to $bank2, and brought a USB key branded with $bank1's
identity to work with them.  It was just some corporate-branded trinket, but
it caused panic at $bank2, from memory they arranged via lawyers to have it
returned to $bank1 via long-handled forging tongs or something.

This is causing serious problems with TLS 1.3 where it's an article of
religious faith that nothing and no-one can peer into the data stream, no
matter what.  Last I heard, many financial institutions weren't ever going to
switch to 1.3 because they couldn't see what was being tunnelled into and out
of their networks.

Peter.