On 10/19/2018 02:01 AM, Amish wrote:
Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
universal. (Ofcourse it may be few years away)
Probably only way out to detect the domain name would be by implementing
CONNECT proxy instead of transparent one.
On 19.10.18 09:51, Alex Rousskov wrote:
Using forward proxies may not help as much: A CONNECT request that uses
an IP address (instead of a domain name) is pretty much as uninformative
as a TCP connection intercepted by a transparent proxy.
disabling DNS in the internal network could help that a bit. That way
browser will have to use the proxy to resolve hostnames, so they will be
available to the proxy.
There are networks separated from the internet, where even the DNS may not
be available, so browsers can't rely on DNS being available.
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
