TLS Encrypted Client Hello (ECH) - will break CFS without DPI-SSL

BWC

Google (Chrome) and Mozilla (Firefox) are planning to implement the encryption of the Client Hello process.

https://groups.google.com/a/chromium.org/g/blink-dev/c/CmlXjQeNWDI/m/hx-_4lNBAQAJ

If you're using DPI-SSL this should not have much impact, but if you solely rely on "HTTPS Content Filtering" in your CFS settings, you will be out lof luck sooner or later.

One step further away from scanning at the perimeter.

--Michael@BWC

JaviSD

is it safe to say google chrome v118 has already this feature? i´m starting to see how google chrome just pass by my uri list forbidden sites and even my forbidden categories

BWC

@JaviSD you can easily check this with a Packet Monitor on the Firewall, if you can see the requested address in the Client Hello as cleartext it's not encrypted.

I tested this with the latest Google Chrome on macOS and the Client Hello had the extension server_name filled with the requested Server Name, no DPI-SSL involved.

--Michael@BWC

JaviSD

https://community.sonicwall.com/technology-and-support/discussion/comment/19551#Comment_19551

it wasn´t related, thanks @BWC this info maked us decide to finally implement dpi-ssl cfs

BWC

The Feisty Duck is quacking about that topic in it's current newsletter. I highly recommend keeping an eye on this water bird, always a great source of information.

https://www.feistyduck.com/bulletproof-tls-newsletter/issue_106_encrypted_client_hello_and_the_last_network_privacy_gap

I guess it'll needs a while until the servers supporting ECH will be ready broadly.

--Michael@BWC