It's indeed pretty simple for TLS over TCP, since the whole ClientHello is part ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Matthias247 on May 22, 2022 \| parent \| context \| favorite \| on: Tunneling Wikipedia through WhatsApp to (maybe?) g... It's indeed pretty simple for TLS over TCP, since the whole ClientHello is part of the first packet and relatively easy parse or seek for. With QUIC it becomes a major pain, since it's not obvious anymore for middleboxes which QUIC packet is the first in a connection, and since Crypto data can be fragmented and reordered (Chrome is doing that by purpose even inside single packets). Therefore hardware inspection would require a pretty full-featured QUIC protocol parser and understanding.

toast0 on May 22, 2022 | [–]

It's easier to just block QUIC. (And UDP in general, might as well)

dapids on May 22, 2022 | [–]

Interesting, thanks for the insight.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact