hello, all. i am working for a **ship vendor company. my company is a **ship member of guangzhou international internet exchange. i can confirm that some of the things you mentioned are correct. this tls in tls detect system is not realtime **ship, they automatically collect data connections with highspeed transmission or cumulative traffic greater than a preset value. these pcap packets will be sent to different vendors for detection, just like the popular covid-19 pcr test. if the provider inform that there has proxy data in the pcap, we have push rule to the edge bypass routing facility near the user for bgp flowspec reroute. these images were not sent by firewall operations staff, and it is certain that these vendors violated some confidentiality policies. based on the existing data, these vendors can only detect the fingerprints of tls1.2 and tls1.3. so using legacy tls protocol like tls1.0, tls1.1 is a good choice, you can also use sm algorithm, these protocols will not be detected. of course, there is only one way to avoid this detect, and that is to abandon e2e, and use self-signed certificates to sign these proxy websites after decryption on the server side and then the plaintext is send to the client through single tls, it’s can ensure that tls in tls is not be detect .
嘟嘟社区
