Hi,
I have seen that the common consensus around HTTPS URLFiltering seems to be run a web proxy to do the filtering of HTTPS URLs.
I imagine this is working by seeing the SNI and stopping the TLS handshake thus dropping the connection.
But as Cloudflare is pushing for encrypted SNI as an extension of TLS 1.3, how will we be filtering HTTPS URLs when/if encrypted SNI has a large uptake?
I think the web proxy will no longer be able to inspect the SNI to do the filtering right?
Hi,
sorry for my tardy reply.
If an application has a proxy configured, it passes the desired FQDN to it - the proxy machine must know that in order to establish a TCP connection to the right IP address.
To my knowledge, eSNI is therefore no issue for users of applications being capable to use a HTTP proxy.
Thanks, and best regards,
Peter Müller
Hi Peter,
Ok, yes I guess I should have realised if it was doing it at the TCP/IP level then it is a SOCKS proxy not a HTTP proxy.
Makes sense what you’re saying, thanks.
Found this, I guess for every HTTPS site a CONNECT request is made to Squid with the URL.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
Hi,
yes, this is the usual procedure. Sometimes, crappy software does things wrong (i. e. by sending a GET request for a HTTPS destination), but the majority of common browsers behaves fine here.
Thanks, and best regards,
Peter Müller