[squid-users] Is this the next step of SSL encryption? Fwd: Encrypted SNI
Alex Rousskov
rousskov at measurement-factory.com
Fri Oct 19 15:51:50 UTC 2018
On 10/19/2018 02:01 AM, Amish wrote:
> Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
> universal. (Ofcourse it may be few years away)
>
> Probably only way out to detect the domain name would be by implementing
> CONNECT proxy instead of transparent one.
Using forward proxies may not help as much: A CONNECT request that uses
an IP address (instead of a domain name) is pretty much as uninformative
as a TCP connection intercepted by a transparent proxy.
Alex.
More information about the squid-users
mailing list