On Wed, 4 Jan 2023, ?ngel wrote:
There are no transparent proxies for https. They would either pass traffic without inspecting it, or they would need to break the TLS connection to MITM it, and -unless the client has installed a CA for the proxy- cause all https connections to fail due to untrusted certificate.
I suggest you read up about the problem that ESNI is supposed to solve. As someone who runs a https transparent proxy that does SNI inspection and egress filtering, I can assure you they do exist and will break ovpn running on port 443. You might argue that it's not a proxy - it doesn't and cannot cache content - but so much content is dynamic now anyway that caching isn't particularly useful except for things like debian packages. Egress filtering is still possible. It's frustrating that so much effort goes into defeating government level inspection of end user traffic and so little goes into defeating the countless IoT trojan horses in our homes. Indeed, I wouldn't be surprised if the long term result of the current trajectory is authoritarian regimes using phones to spy on people in their homes with no way to block it (other than turn the phone off - but that already works today so ESNI isn't needed)