[squid-users] Is this the next step of SSL encryption? Fwd: Encrypted SNI

Marcus Kool marcus.kool at urlfilterdb.com
Fri Oct 19 17:19:09 UTC 2018



On 19/10/18 14:09, Alex Rousskov wrote:
> On 10/19/2018 10:47 AM, Matus UHLAR - fantomas wrote:
>>> On 10/19/2018 02:01 AM, Amish wrote:
>>>> Looks like ssl_bump is going to break once ESNI and Encrypted DNS are
>>>> universal. (Ofcourse it may be few years away)
>>>>
>>>> Probably only way out to detect the domain name would be by implementing
>>>> CONNECT proxy instead of transparent one.
> 
>> On 19.10.18 09:51, Alex Rousskov wrote:
>>> Using forward proxies may not help as much: A CONNECT request that uses
>>> an IP address (instead of a domain name) is pretty much as uninformative
>>> as a TCP connection intercepted by a transparent proxy.
> 
>> disabling DNS in the internal network could help that a bit.
> 
> ... until the browser starts using DNS over HTTPS (with a pinned
> certificate of the "resolving" HTTPS server)?
>   Alex.

It is relatively easy to block DNS over HTTPS and I think there will be demand for that.
And I predict that Squid will have a feature to selectively block connections with ESNI to force clients to use the plain text SNI.

Marcus


More information about the squid-users mailing list