How will sslsplit handle quic? #300
Comments
|
Just to add, downgrading should work if you just block 443/udp - clients will fail over to https/tcp |
|
@trifle could you please elaborate on this? If I reject incoming UDP connections on port 443 to the client (e.g. by setting |
|
@daMatz Disclaimer: I haven't investigated this extensively. Handling connection failures is generally clients' responsibility (so has nothing to do with the server). This means that when you block UDP, browsers will need to figure out what to do next. There is a passage in the standard stating:
So yes, we can generally assume clients will fall back to TCP, but it is an open question whether they actually do. I can imagine some clients to just error out either due to laziness, ignorance or malice. |
Alright thanks! I have to check how the behaviour is in my case, as I'm looking at mobile applications and different network libraries 👍 |
|
I'd be very interested in your results, so if you could drop a quick comment - even with a rough impression - that would be great! |
This is not a bug report; I'm trying to learn how quic will affect MITM in general and sslsplit in particular.
In short, quic - wikipedia is an UDP-based protocol that is seeing increasing adoption in place of http/2.
It seems that MITM on quic is not entirely impossible - mitmproxy seems to be working on it (branch here, issue discussion).
Given that especially large sites are rapidly switching over to quic, it seems desirable to have an option of decrypting or at least downgrading it to http in sslsplit.
The text was updated successfully, but these errors were encountered: