| >All encrypted traffic is typically decrypted by the recipient. The use-cases for inspection at the corporate firewall are often explicitly about catching cases where the recipient isn't policing itself: - the device is compromised, exfiltrating company secrets, but has been rigged to send false reports to the central antivirus server saying it's clean. - the device is not something it makes sense to install a host-based IDS/firewall/AV on. - the device is assigned to a broker-dealer who is using a non-work email account to give fraudulent advice to clients off the record. In an enterprise IT environment, "the recipient" is the company, and the company has internal controls, often required by law or regulation, that involve i.e. people who are not salesmen or traders (IT, compliance, legal, etc) knowing what information flows into and out of the sales and trading departments. |
So, because banks fail at keeping their devices secure, TLS 1.3 must be weakened? I don't see a convincing case here.
The third point especially seems a bit ridiculous: non-work accounts can probably be used from anywhere, why would said broker-dealer bother using the bank's network for his fraudulent activities? If he controls his device, he can use an LTE USB stick, an external VPN with a cipher of his choice etc. ...