[dns-operations] need recommendation for filtering outbound HTTPS
Grant Taylor
gtaylor at tnetconsulting.net
Mon May 13 02:31:31 UTC 2019
On 5/12/19 6:36 PM, Paul Vixie wrote:
> to be clear, if there's a CONNECT verb, it's not bump-in-the-wire.
Please elaborate.
Are you saying that because the client is actively talking to the proxy
and as such it's not a transparent operation without the client's knowledge?
My understanding is that CONNECT is supposed to proxy at the TCP level,
not HTTP level. So Squid's (and I'm sure other proxies) behavior to
take the CONNECT (or transparent) and terminating it locally to to
function as an HTTP proxy, despite the CONNECT, seems like a MitM ~>
SSL-bump-in-the-wire to me. Perhaps the difference is in terms.
> also, in TLS 1.3 w/ encrypted SNI, the only way to do bump-in-the-wire
> is to force a downgrade to TLS 1.2. this is what i expect "next-gen
> firewalls" and the chinese "great firewall" to do. clients or servers
> who won't tolerate the downgrade will fail, but that will be seen
> by some network operators as the lesser cost (compared to allowing
> DoH through.)
I'm not convinced of that. Sure downgrading TLS 1.3 to 1.2 will make
things simpler.
However, if you block outgoing connections by default and explicitly
allow some connections, I think you can likely break DoH and DoT in that
they are not already explicitly allowed. As such the client will need
to fall back to regular unencrypted DNS to get the public key needed to
prime eSNI. Thus leaking data that can be used to filter connection.
I can't outline more details than that. But I feel like if you control
the choke point between the client and the Internet, including it's
unencrypted DNS, then you can do some things.
> i don't want to proxy everything. but the https proxy protocol, and
> socks, do not have a way to tell the initiator, "you don't need me
> for this connection, just try again without a proxy".
HTTP(S) and SOCKS proxy don't have that ability. But Proxy Auto
Configuration does and can tell clients to go DIRECT.
> TLS 1.3 w/ ESNI makes it impossible to be selective in what the
> forward proxy decrypts, it has to be everything.
I agree that it probably needs to be everything that comes to it. But I
think PAC can be leveraged to be more intelligent about what comes to it.
I say probably because I wonder just how far down the rabbit hole we can
go with the proxy initially intercepting TCP connection while pretending
to be the client to the upstream server before it could no longer
leverage kernel options to splice the two connections together while
stepping out of the mix.
There's always a TCP Reset and then not interfering with the next
packets between the two IPs.
It's not perfect. But it is enough to make me question things. The
questions are likely from a naive place. But they are questions none
the less.
> our alternatives and their costs have been carefully managed for
> us here.
That has never stopped me from asking questions and listening while
others explain why I'm wrong. ;-)
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190512/0992dc62/attachment.bin>
More information about the dns-operations
mailing list