Immediately after switching the page, it will work with CSR.
Please reload your browser to see how it works.
All of this seems to assume you always own the server side, which you pretty much don't. Even on page 5 with the summary of the solution it doesn't touch that subject.
You'd think that if you own the server and the client anyway, you'd just capture it right there if you need to.
As for just the DH 'server' doing key distribution, that's something we already know how to do and doesn't require "we install nginx on a random server and call it an appliance" style vendors.
It seems to be intentional exfiltration of key material (either bounded DH keypairs rather than ephemeral or, more likely, exfil of the symmetric channel key).
This is an odd euphemism. A network that uses plaintext isn't "visible" - I'd use a word like "readable" or "inspectable".
For encrypted networks, MITMing the encryption breaks the security. That's what it's for. TLS1.3 is supposed to prevent that; circumventing that (as NIST proposes) increases the attack surface. NIST's proposals seem to amount to generating and distributing ephemeral keys over the internal network; but I thought best practice was to keep keys and cryptographic operations inside a HSM.
Isn't the proper solution to remove MITMing from the compliance rules, stop trying to detect C2 and malware at the router, and instead secure the target servers?