On 19/10/18 14:09, Alex Rousskov wrote:
On 10/19/2018 10:47 AM, Matus UHLAR - fantomas wrote:
On 10/19/2018 02:01 AM, Amish wrote:
Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
universal. (Ofcourse it may be few years away)
Probably only way out to detect the domain name would be by implementing
CONNECT proxy instead of transparent one.
On 19.10.18 09:51, Alex Rousskov wrote:
Using forward proxies may not help as much: A CONNECT request that uses
an IP address (instead of a domain name) is pretty much as uninformative
as a TCP connection intercepted by a transparent proxy.
disabling DNS in the internal network could help that a bit.
... until the browser starts using DNS over HTTPS (with a pinned
certificate of the "resolving" HTTPS server)?
Alex.
It is relatively easy to block DNS over HTTPS and I think there will be demand for that.
And I predict that Squid will have a feature to selectively block connections with ESNI to force clients to use the plain text SNI.
Marcus
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
