QUIC as a solution in my firewall currently
QUIC as a solution in my firewall currently
Posted Jan 29, 2018 21:22 UTC (Mon) by petur (guest, #73362)Parent article: QUIC as a solution to protocol ossification
Posted Jan 30, 2018 1:27 UTC (Tue)
by bradfitz (subscriber, #4378)
[Link] (7 responses)
Posted Feb 2, 2018 3:52 UTC (Fri)
by TRS-80 (guest, #1804)
[Link] (6 responses)
Posted Feb 2, 2018 16:18 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link] (5 responses)
That works for now because there is a fallback in place, so most sites continue to work (albeit more slowly) despite blocking QUIC. As QUIC becomes more popular, however, and incidences of brokenness diminish, that fallback ought to be phased out. At that point you will no longer be able to block QUIC without cutting yourself off from most of the Internet—and with the end-to-end principle restored, there will be much rejoicing among those trapped behind your overbearing middleware.
Posted Feb 2, 2018 17:46 UTC (Fri)
by TRS-80 (guest, #1804)
[Link] (4 responses)
The middlebox we use doesn't currently support ECDHE, so I doubt TLS 1.3 support will be on the cards any time soon either. That will be a big ossification point as well due to how middlebox unfriendly TLS 1.3 is.
Posted Feb 2, 2018 18:53 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link] (3 responses)
If you do have to comply with such laws, you can install blockers directly onto the endpoints rather than on midpoints.
Posted Feb 3, 2018 5:27 UTC (Sat)
by TRS-80 (guest, #1804)
[Link] (2 responses)
Posted Feb 4, 2018 3:59 UTC (Sun)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
This is how effective Internet blocking is against determined teenagers.
I understand that people still have to go through motions and pretend that precious little children are totally "protected" by filters. But I'm not seeing why this should be made any easier. It'd be good to stop this hypocrisy fest eventually.
Posted Feb 9, 2018 15:18 UTC (Fri)
by TRS-80 (guest, #1804)
[Link]
QUIC as a solution in my firewall currently
Ah, but then I can then MITM and block it. I explicitly block QUIC at work because I can't inspect it. deal_with_it.gif
QUIC as a solution in my firewall currently
QUIC as a solution in my firewall currently
Perhaps, but they are students and I have a duty of care to protect them from the worst parts of the internet, therefore a there is a middlebox between them and it. Is QUIC becoming used outside of Google anyway?QUIC as a solution in my firewall currently
QUIC as a solution in my firewall currently
And then these students get their smartphones and jump right into the worst parts without anyone wiser...
Phones are not allowed in the classroom, and we tell parents not to give their students data access, or install a filter on it. Either way, you can't do proper blocking on an iOS, the only good solutions are an explicit proxy or always-on VPN, at which point we're back to middleboxes so you may as well do it transparently.
QUIC as a solution in my firewall currently
QUIC as a solution in my firewall currently
Well, if you can stop our parents being rich enough to hire lawyers in the case that little Johnny sees something inappropriate using school-provided technology, I'm sure I can update our risk matrix to obviate the need for the web filter. If they do it on parent-provided technology, that's then their problem, not ours.
QUIC as a solution in my firewall currently