undefined | Better HN

0 pointsfiddlerwoaroof5y ago0 comments

You can snoop SNI and use that to block traffic, right? In another thread, someone suggested also stripping the keys for encrypted SNI from DNS queries which, when combined with a firewall that attempts to make a DoH query to every new SNI name it sees might potentially work.

0 comments

kelnos5y ago

For now. Encrypted SNI is in development and will eventually be used by devices and apps that want to do this sort of thing and hide what they're doing.

fiddlerwoaroofOP5y ago

The solution to that is pretty simple. ESNI, I believe, requires encryption keys in DNS records: if you control DNS, you control ESNI. ECH might be harder to deal with, but you can always just block HTTPS connections you don’t want to support. Also, will some sort of certificate fingerprinting still work?

j / k navigate · click thread line to collapse

0 comments

kelnos5y ago

For now. Encrypted SNI is in development and will eventually be used by devices and apps that want to do this sort of thing and hide what they're doing.

fiddlerwoaroofOP5y ago

j / k navigate · click thread line to collapse