This is probably the best path forward for getting large enterprises not to block TLS 1.3 deployment but I can’t help but wonder how effective these monitoring systems actually are. There are so many ways to exfiltrate data and attackers have decades of prior art around obfuscating their activity, and it seems incredibly expensive to try to solve this problem at the network level rather than by committing that budget to better controls around sensitive data, locking down clients, etc.
Possibly, but this is both very costly and imposes a non-trivial risk from creating a single point of failure for your entire network which also does binary decoding of complex data structures. Unless you have an unlimited budget that raises the question of whether it’s likely that there are enough attacks which are simple enough for this approach to catch while still being damaging enough to matter relative to the other things you could do with the same budget and staffing.
