from Hacker News

Show HN: Privaxy – Adblocking / tracker blocking by MITMing HTTPS traffic

by pierrebarre on 5/19/22, 10:43 AM with 61 comments

  • by teddyh on 5/19/22, 12:20 PM

    I fear that MITMing ads is a dead end:

    1. IIUC, when SNI is encrypted (in TLS 1.3?) almost everything is out the window.

    2. Local devices can do DNS over HTTPS (DoH) and DNS over QUIC (DoQ) to look up their stuff, so DNS-based blocking will soon be obsolete.

    3. The browser itself is controlled by the biggest ad-vendor around (Google), so you’ll probably get no help there.

    The only solutions are:

    A. Use browsers not controlled by Google (i.e. not any Chrome fork either).

    B. Use only apps and devices locally which do not display ads. (This is, in a way, a generalization of A.)

    C. Legislate away the business models of ads and the media and “smart” devices which use ads.

    (A very similar argument can be made for user tracking and telemetry.)

  • by adamzochowski on 5/19/22, 1:18 PM

    There was a proxy, proxomitron in early 2000s, that allowed you to change the html/js as it went through the proxy. people used it for adblocking and removing page annoyances, like removing sounds / animated gifs / etc. Here is a list of random old filters people had built at one time: https://proxomitron.info/45/help/Default-Web-Filters.html

  • by mhils on 5/19/22, 1:26 PM

    This approach is a natural escalation step as DNS-based blocking is getting increasingly difficult. But it's not without its drawbacks. For example, browsers tend to have by far the best TLS implementations. By MITMing yourself, you essentially trust the proxy's TLS implementation instead, which will receive much less scrutiny. There's a lot of precedent for TLS vulnerabilities introduced by middleboxes. If browser extensions are possible they should be preferred. But the author does have a point that this can't be taken for granted anymore!

  • by Saint_Genet on 5/19/22, 12:47 PM

    Used to run privoxy back in the day, but stopped when adblock extensions came along. It was simply more convenient to manage adblocking from the browser rather than figuring out regexps to put in its config. Also, it didn't do https.

  • by geoffeg on 5/19/22, 3:12 PM

    I've really wanted a server-side uBlock Origin like this for a while now for devices that can't run uBlock (mobile, etc) or where uBlock is limited in functionality (Chrome). This looks like a great start.

  • by cal85 on 5/19/22, 2:27 PM

    What are the potential benefits of a ‘MITM’ approach, compared to other approaches like acting as DNS (like pihole)?

    Edit: I should have read the About section more carefully:

    > Privaxy is also way more capable than DNS-based blockers as it is able to operate directly on URLs and to inject resources into web pages.

    Makes sense. So it potentially has the fine-grained control of a browser-based blocker but also has good performance like a pihole. Sounds compelling. Now I’m interested to know why it’s not been done this way before? Is it just a hard problem to solve, and no one has attempted it yet?

  • by 2Gkashmiri on 5/19/22, 12:42 PM

    Why build something fresh and not join forces with pihole? Reinventing the wheel for a niche function doesn't get traction much.

    I don't know the reason why the devs of this project think they need to start afresh, there are already tools like Firefox+unlock origin+ pihole which should solve most if not all of the problems. Why not incorporate the defining feature into pihole so that people don't have to add more complexity?

    Do I switch off my pihole and set this up?

  • by randomhodler84 on 5/19/22, 4:41 PM

    I said it before and I will say it again, MITM for ad blocking is not a way forward.

    Cert pinning defeats this on 99% of consumer devices and introduces a security hole in the browser by subverting the trust model. Unless the proxy is doing 100% of the same thing the browser is doing, and it isn’t, you are weakening browser security too.

    Instrument the endpoint (browser plug-in) or control name resolution (filtering DNS server that uses DoH to prevent upstream filtering).

  • by sidpatil on 5/19/22, 1:20 PM

    Not to be confused with Privoxy: https://www.privoxy.org/

  • by hereme888 on 5/19/22, 8:23 PM

    Some people seem to be saying that apps and devices bypass your DNS settings.

    If I set NextDNS with DoT in my Android under the "private DNS" setting, and turn on the NextDNS setting with DNS rebinding protection, would the phone and some apps still find a way around it?

    I also use NetGuard, but it's more cumbersome and doesn't allow DoT.

  • by bilekas on 5/19/22, 12:29 PM

    > Privaxy is also way more capable than DNS-based blockers as it is able to operate directly on URLs and to inject resources into web pages.

    I'm not sure I understand why it would be more capable than a DNS blocker ?

    If it's just because you can inject into the traffic that's comparing apples and oranges ? Or am I missing something ?

  • by ThePhysicist on 5/19/22, 12:27 PM

    I really like this, built something similar in Golang a while ago (not open-source for various reasons). In general it's a good approach I think, you can also inject JS that can do additional stuff in the browser to suppress tracking/ads.

  • by pkulak on 5/19/22, 8:22 PM

    What does it mean when:

    "The service may not tolerate TLS interception."

    I figured the proxy would be making the request entirely independently. How would an external entity even know the data was later being passed on?

  • by idrock on 5/19/22, 5:33 PM

    I used to deploy privoxy everywhere and loved the ability to intercept and script just about everything... will def check it out.