This isn’t as much about stopping middleboxes on your perimeter that you fully control, but a lot about middleboxes between you and the destination that are outside of your or the destinations control.

Those are often used to add ads rather than block them.

If you yourself want to block ads, do so on your machine (where traffic has already been decrypted) or on your router (which will then decrypt traffic for you and re-encrypt it with its certificate that you have added to your machine).

That's news to me, I've never heard of a widespread use of middleboxes for blocking ads. Which boxes are these and how did you know that there are a lot of them deployed?

So, an example of a middlebox that's exceedingly common is a "web security gateway", which is your average web filter and logger in a corporate environment. Obviously it logs employee web activity, blocks access to adult websites, and maintains it's own malware definitions to try and block malicious content as well. It's quite often for these to also block domains used by ads and popups by default. When these sorts of devices are configured to inspect HTTPS, this adds a significant additional complexity: Network PCs need to be configured to permit a certificate from the box for all domains, which intercepts, decrypts, and re-encrypts all traffic.

Of course, the same type of technology a corporation might use to manage their network could be used by a state actor or a hostile ISP.

Oh, alright. I'm behind one of those right now, but never used any that blocked ads. I wonder how prevalent that is that Google would devote significant effort into developing a whole replacement for TCP just to get people behind them to watch ads.

Plus seems like those companies will be able to block QUIC for the foreseeable future; disabling HTTP(S) will probably take as long as disabling IPv4.

Yeah, I've got a policy configured that disables QUIC in Chrome, as it also makes it harder for the firewall to do it's job. Firewalls track TCP connections in order to determine if inbound traffic is a response to a legitimate request. Doesn't work on UDP-based traffic.

If you’re only using it to block domains you can do that at the DNS level with the added bonus of it being more efficient.

This goes out of the window with apps doing their own host resolution with DoH.

I'm aware, I use a Pi-hole at home. :) Web filtering hardware in corporate environments is a fair bit more sophisticated and contains a lot of other features.

Web security gateways at enterprises should have been explicit proxies from the start, this whole transparent proxy business has been a disaster for protocol development.