Quick note for 24:00 where he mentions “people can’t see the URLs”. I’m fairly certain the author is aware but to clarify to the viewers: TLS absolutely does still leak URLs. TLS versions up to and including 1.3 exchange the server certificate and / or hostname in clear text. With the exception of new TLS extensions like eSNI, ECH, etc. this means URLs can and absolutely are found. Even the older firewalls like firepower can do certificate / SNI inspections and create ACLs using them. As a real world example, the firewall mentioned in the video that China uses also completely blocks TLS 1.3 extensions that enable encryption. (E.g. eSNI / ECH / etc) Most enterprise firewalls as well do passive detection and give admins the option to simply block privacy extensions (e.g. FortiGates blocking QUIC, FortiGates allowing a “FailClose” approach to DNS resolution, etc). Super interesting stuff, great talk!
Quick note for 24:00 where he mentions “people can’t see the URLs”. I’m fairly certain the author is aware but to clarify to the viewers: TLS absolutely does still leak URLs. TLS versions up to and including 1.3 exchange the server certificate and / or hostname in clear text. With the exception of new TLS extensions like eSNI, ECH, etc. this means URLs can and absolutely are found. Even the older firewalls like firepower can do certificate / SNI inspections and create ACLs using them.
As a real world example, the firewall mentioned in the video that China uses also completely blocks TLS 1.3 extensions that enable encryption. (E.g. eSNI / ECH / etc) Most enterprise firewalls as well do passive detection and give admins the option to simply block privacy extensions (e.g. FortiGates blocking QUIC, FortiGates allowing a “FailClose” approach to DNS resolution, etc). Super interesting stuff, great talk!