[algesten]

To protect myself or my company, what about a pihole (or similar) that rejects any TLS connection attempted with certs signed by these root CA?

[archi42]

That's illegal then. But the pihole won't do the trick, you need to remove the mandated certs from your browsers certstore. If these certs are used for legitimate places (e.g. EU or state websites, and I'll bet they will) you then will get a certificate error.

Of course there is still HSTS, but that's not supported by all tech using TLS.

[hn8305823]

> If these certs are used for legitimate places (e.g. EU or state websites, and I'll bet they will) you then will get a certificate error.

Prediction: If this passes, users having to bypass cert errors will be the new cookie popup.

[Snawoot]

TLS 1.3 encrypts server certificate, so it will not be possible to filter such connections out using just passive inspection.

[darkarmani]

Instead of a pihole, you'd run a https proxy that doesn't trust the certs i guess.

[Snawoot]

Which https proxy you're referring to? HTTP proxies capable of forwarding HTTPS just offer HTTP CONNECT method, which allows client to tunnel regular TCP connection and HTTPS inside it. These proxies do not do anything with certificates.