TechLeague

    Security

    TLS 1.3 and Encrypted SNI: what changes for network security

    TechLeague Editorialยทยท7 min read

    Encryption is winning. TLS 1.3, ESNI/ECH and DoH break the simple bypass tricks of the last decade.

    TLS 1.3

    • Handshake messages encrypted earlier.
    • Old SNI-only filtering breaks for ESNI/ECH.

    Decryption

    • Forward proxy still works with proper CA.
    • Plan for performance โ€” TLS 1.3 is heavier on inspection.

    DNS

    • DoH/DoT bypass classic DNS sinkhole.
    • Force corporate resolver via DHCP, NRPT, or block external 853/443 to known DoH.

    Identity

    • Fingerprinting (JA3/JA4) helps when payload is opaque.

    Strategy

    • Decrypt where you must, allow where you can't, log everywhere.

    Train modern crypto-aware security in a TechLeague tournament.