On Monday, 11 March 2019 21:44:06 UTC Eric Rescorla wrote: > On Mon, Mar 11, 2019 at 11:13 AM Paul Vixie <p...@redbarn.org> wrote: > > > > Enterprise networks are already able to block DoH services, > > > > i wonder if everyone here knows that TLS 1.3 and encrypted headers is > > going to push a SOCKS agenda onto enterprises that had not previously > > needed one, > > I'm pretty familiar with TLS 1.3, but I don't know what this means. TLS 1.3 > doesn't generally encrypt headers any more than TLS 1.2 did, except for > the content type byte, which isn't that useful for inspection anyway. > Are you perchance referring to encrypted SNI? Something else?
yes, i mean encrypted SNI, and i apologize for saying "encrypted headers". > encrypted SNI, an extension to the TLS 1.3 protocol that improves privacy of > Internet users by preventing on-path observers, including ISPs, coffee shop > owners and firewalls, from intercepting the TLS Server Name Indication > (SNI) extension and using it to determine which websites users are > visiting. (https://blog.cloudflare.com/encrypted-sni/) what this means is, if someone is concerned that some of the web sites reachable through some CDN are dangerous, they can no longer operate a mostly- transparent edge gateway, to permit or forbid transactions on a case by case basis. rather, they will have to use SOCKS or similar, and blackhole the CDN from being reached other than from the SOCKS/similar proxy. this significantly increases policy enforcement costs, probably placing them outside the budget of most small/medium companies, and all home networks. and that's the intent. so: > Enterprise networks are already able to block DoH services, that's old-think. vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
