[dns-operations] need recommendation for filtering outbound HTTPS

Paul Vixie paul at redbarn.org
Thu May 16 18:34:38 UTC 2019

On Thursday, 16 May 2019 16:20:38 UTC Grant Taylor wrote:
> On 5/15/19 11:44 PM, Paul Vixie wrote:
> > terminologically i've been calling that a downgrade rather than BITW,
> > because the only way i'm going to learn the SNI is if i act like i only
> > understand TLS 1.2 (and not 1.3) after intercepting the CONNECT and
> > forcing it to make its long-distance TLS connection to me instead of to
> > the real (remote) endpoint.  ...
> I still don't understand why someone can't emulate the TLS 1.3 endpoint,
> presuming that they have the necessary information.

because TLS 1.3 is specifically, and successfully, designed to prevent that. i 
suggest reading up on why and how this goal was selected and achieved.


More information about the dns-operations mailing list