Well, I may want to have a say in what websites the employees at work access in their browsers. For example.

altairprime 4 hours ago | parent | next [-]

That’s not a meaningful issue here. Either snoop competently or snoop wire traffic, pick one.

In the snooping-mandatory scenario, either you have a mandatory outbound PAC with SSL-terminating proxy that either refuses CONNECT traffic or only allows that which it can root CA mitm, or you have a self-signed root CA mitm’ing all encrypted connections it recognizes. The former will continue functioning just fine with no issues at providing that; the latter will likely already be having issues with certificate-pinned apps and operating system components, not to mention likely being completely unaware of 80/udp, and should be scheduled for replacement by a solution that’s actually effective during your next capital budgeting interval.

▲

kccqzy 4 hours ago | parent | prev [-]

That’s usually done not on the network side but through the device itself. Think MDM and endpoint management.

▲

ocdtrekkie 4 hours ago | parent [-]

A good solution is tackling it on both. At work we have network level firewalls with separate policies for internal and guest networks, and our managed PCs sync a filter policy as well (through primarily for when those devices are not on our network). The network level is more efficient, easier to manage and troubleshoot, and works on appliances, rogue hardware, and other things that happen not to have client management.

▲

ekr____ 3 hours ago | parent [-]

Well, if you have MDM you should be able to just disable ECH.

	▲	ocdtrekkie 3 hours ago \| parent [-]
		This is also indeed done on both. Browser policies.