The announcement explains the benefit, near the bottom of the page:
What we call QUIC obfuscation builds on the MASQUE protocol described by RFC 9298 - Proxying UDP in HTTP. As the title of the RFC implies, QUIC obfuscation works by tunneling UDP through an HTTP server acting as a proxy. For a censor looking at the traffic being sent between a client and server, the traffic will appear as web traffic. HTTP is generally not blocked by state-level censors, since much of the internet would be unreachable without it.
Sad to say, this is not a good solution. Any firewall can be taught to detect this if it’s not using https. If it is, this usually requires state approved certificates, so any firewall can just man in the middle. I guess this targets the same gateway astorr bridges. Using big load balancers to shuttle traffic via an unblocked big IP like google toa an app in the google network that acts as a proxy. It works, butt not out of the box sadly.
The announcement explains the benefit, near the bottom of the page:
Oh yea. I am sorry but I used reading mode with tts and it cut off the bottom half without me noticing. Thanks for the reply
Sad to say, this is not a good solution. Any firewall can be taught to detect this if it’s not using https. If it is, this usually requires state approved certificates, so any firewall can just man in the middle. I guess this targets the same gateway astorr bridges. Using big load balancers to shuttle traffic via an unblocked big IP like google toa an app in the google network that acts as a proxy. It works, butt not out of the box sadly.
All the examples in the spec itself are https.
I guess that’s a magic bullet then… Just ensure you are using a certificate chain that’s not issued by a authority inside the country.
Along that line, I’d be self signing and requiring a specific client cert to allow connection.
But yes absolutely good point