XMPP Service Operators - 2024-12-29


  1. Maranda

    To note that a good number of appliances now have the feature to block non HTTP traffic on HTTPS port... And usually QUIC is blocked by default.

  2. Kris

    Any reason for why quic is blocked?

  3. Maranda

    Less introspection capability for filtering, often the Client Hello needs to be decrypted as well so you may have issues just using SNI as well

  4. Maranda

    Less introspection capability for filtering, often the Client Hello needs to be decrypted so you may have issues just using SNI as well

  5. moparisthebest

    Maranda: what? No. QUIC and TLS have the same introspection capabilities with SNI and ALPN in the clear except when the brand new ECH is used.

  6. moparisthebest

    > Any reason for why quic is blocked? Just because it's new and these devices are old, things will catch up

  7. Maranda

    > <moparisthebest> Maranda: what? No. QUIC and TLS have the same introspection capabilities with SNI and ALPN in the clear except when the brand new ECH is used. Do you realize you just acked to what I said...? Anyways no you're wrong "catching up" isn't as easy. And no the devices I'm talking about are brand new. Catching up unfortunately has its caveats (aka the filtering engine has to mirror internally and decrypt the opening headers to catch SNI) but that adds a considerable amount of latency and computing overhead which translates in bad UX. So it's just easier to drop QUIC alltogether for now instead of trampling on riskind to do inconsistent filtering

  8. Maranda

    > <moparisthebest> Maranda: what? No. QUIC and TLS have the same introspection capabilities with SNI and ALPN in the clear except when the brand new ECH is used. Do you realize you just acked to what I said...? Anyways no you're wrong "catching up" isn't as easy. And no the devices I'm talking about are brand new. Catching up unfortunately has its caveats (aka the filtering engine has to mirror internally and decrypt the opening headers to catch SNI) but that adds a considerable amount of latency and computing overhead which translates in bad UX. So it's just easier to drop QUIC alltogether for now instead of trampling on risking to do inconsistent filtering

  9. moparisthebest

    slightly more annoying to filter, good https://security.stackexchange.com/a/267938 Now we just need universal adoption of ECH to make connections impossible to filter 😁

  10. Brian

    That may take a while. For one, ECH is still in draft status, after almost 6.5 years.

  11. moparisthebest

    Doesn't matter, it's already pretty widely deployed