[dns-operations] need recommendation for filtering outbound HTTPS
Paul Vixie
paul at redbarn.org
Thu May 16 18:34:38 UTC 2019
On Thursday, 16 May 2019 16:20:38 UTC Grant Taylor wrote:
> On 5/15/19 11:44 PM, Paul Vixie wrote:
>
> > terminologically i've been calling that a downgrade rather than BITW,
> > because the only way i'm going to learn the SNI is if i act like i only
> > understand TLS 1.2 (and not 1.3) after intercepting the CONNECT and
> > forcing it to make its long-distance TLS connection to me instead of to
> > the real (remote) endpoint. ...
>
> I still don't understand why someone can't emulate the TLS 1.3 endpoint,
> presuming that they have the necessary information.
because TLS 1.3 is specifically, and successfully, designed to prevent that. i
suggest reading up on why and how this goal was selected and achieved.
--
Paul
More information about the dns-operations
mailing list