[squid-users] Is this the next step of SSL encryption? Fwd: Encrypted SNI

Alex Rousskov rousskov at measurement-factory.com
Fri Oct 19 17:09:07 UTC 2018


On 10/19/2018 10:47 AM, Matus UHLAR - fantomas wrote:
>> On 10/19/2018 02:01 AM, Amish wrote:
>>> Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
>>> universal. (Ofcourse it may be few years away)
>>>
>>> Probably only way out to detect the domain name would be by implementing
>>> CONNECT proxy instead of transparent one.

> On 19.10.18 09:51, Alex Rousskov wrote:
>> Using forward proxies may not help as much: A CONNECT request that uses
>> an IP address (instead of a domain name) is pretty much as uninformative
>> as a TCP connection intercepted by a transparent proxy.

> disabling DNS in the internal network could help that a bit.

... until the browser starts using DNS over HTTPS (with a pinned
certificate of the "resolving" HTTPS server)?
 Alex.


More information about the squid-users mailing list