Andrew-419
commented
8 months ago Shared with David Wright for further comment.
Open flyingeng opened 9 months ago
Andrew-419
commented
8 months ago Shared with David Wright for further comment.
Several institutions offers Web Fiiltering to protect customers against malicious resources or inappropriate content. Web filtering is implemented either at DNS basis or using SNI analysis via TLS terminating middle boxes.
Once ECH is enabled the latter will fail and potentially ECH mechanism will interpret the middlebox activity as an attack with the result of breaking the connectivity.
While this can be solved by bigger enterprises with an update in the protection schema, for example relying on the fact that managed devices will have ECH disabled and for BYD devices they can implement DNS based protection, for smaller enterprises and institution on low IT budget this can be a big problem that needs education and guidelines.
A typical example is Schools that offer to the students filtered Internet access: in many regions they MUST offer filtered internet access, e.g. in the US The Children's Internet Protection Act (CIPA) requires that U.S. schools have appropriate measures in place to protect students from obscene or harmful online content.
After ECH enablement the filtering in schools using proxy based analysis will cease to work, so it is needed an informational campaign to assist the schools on the implementation of different filtering mechanisms.