[squid-users] Is this the next step of SSL encryption? Fwd: Encrypted SNI

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Oct 19 16:47:17 UTC 2018


>On 10/19/2018 02:01 AM, Amish wrote:
>> Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
>> universal. (Ofcourse it may be few years away)
>>
>> Probably only way out to detect the domain name would be by implementing
>> CONNECT proxy instead of transparent one.

On 19.10.18 09:51, Alex Rousskov wrote:
>Using forward proxies may not help as much: A CONNECT request that uses
>an IP address (instead of a domain name) is pretty much as uninformative
>as a TCP connection intercepted by a transparent proxy.

disabling DNS in the internal network could help that a bit. That way
browser will have to use the proxy to resolve hostnames, so they will be
available to the proxy.

There are networks separated from the internet, where even the DNS may not
be available, so browsers can't rely on DNS being available.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains? 


More information about the squid-users mailing list