Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Privaxy: Next generation tracker and advertisement blocker (github.com/barre)
20 points by hosteur on Aug 27, 2023 | hide | past | favorite | 15 comments


Privaxy is a MITM HTTP(s) proxy that sits in between HTTP(s) talking applications, such as a web browser and HTTP servers, such as those serving websites.

By establishing a two-way tunnel between both ends, Privaxy is able to block network requests based on URL patterns and to inject scripts as well as styles into HTML documents.

Privaxy is not limited by the browser’s APIs and can operate with any HTTP traffic, not only the traffic flowing from web browsers.

and built in Rust!


Safety-wise it better be solid otherwise you might end up with a ad-blocker-soon-to-be-spyware


How does it handle encrypted traffic?


Seems to be man-in-the-middle. The server gets the files as if it were a browser, then re-encrypts using the certificate authority it requires you to install, to keep your browser happy.


I've never understood how/why encryption is the answer to man-in-the middle.

Seems like this is proof that it's not.


> Seems like this is proof that it's not.

How so?

In order for this MITM to work, you must hand over the encryption certificates, so to block MITM, don't expose your private certs.

> I've never understood how/why encryption is the answer to man-in-the middle.

No encryption = Bob ---> Attacker (reads files) --> Alice

Encryption = Bob ---> Attacker (cannot read files) ---> Alice


So a full MITM like Privoxy with access to the browser TLS handshake can not obtain or access or alter or replace the certs needed to decrypt web browser traffic?

In other words, it's not possible for MITM (like Privoxy) to operate in a transparent manner.


You still need to install the certs and some apps / programs will use cert pinning (trusting only the certs they are shipped with).


So when my browser uses TLS to access Hacker News, certs are somehow installed so that a MITM listening to the TLS handshake (like Privoxy) would not have access to them and be able to decrypt the communication?


The whole encrypted internet relies on a chain of trust for certs, and the public keys are already publicly available for every client to validate a servers keys and generate a NEW session encryption key (handshake). Looks like this project is essentially the same as running a MITM on yourself. It's intended to be setup on your own server, so you can generate and install your own certs to re-encrypt all traffic between YOUR server and client (i.e. you take ownership of the last leg in the chain of trust between your server and client). The website simply views your server as the only terminating client.

This is why it's recommended to use a client VPN on gateways you don't own, as MITM software can be added to any server to operate the same way (though they need to obtain the private keys of certs your browser already trusts, or silently install new ones to prevent your clients from alerting you).


Encryption alone isnt, you need the full cia triad. I'll get on my high horse and add that questions/assertions like yours are the reason we need education/diplomas and that "i learned on my own/on the job" will never be enough.


Can you get down from your high horse long enough to answer a simple question --- can a MITM like Privoxy operate in a transparent manner and decrypt TLS traffic in order to block ads?

Possible or not?

If Privoxy can do this, why wouldn't any other unknown/hostile MITM be able to do the same?


> If Privoxy can do this, why wouldn't any other unknown/hostile MITM be able to do the same?

Because as with traditional HTTPS caching schemes like Squid, it first requires you to first install a Certificate Authority's public key into your application, browser, or OS's Certificate Store, which (barring an already compromised system) an attacker presumably can't just.. do.

FWIW, I learned that first-hand configuring Squid when I used to run my own BSD routers and have seen the situation talked to death online in any thread that mentions OpnSense or a PiHole; no degree is necessary for exposure. We all have our blind-spots, and what matters is a willingness to be in over your head while you do the hard work of learning your way around.

This includes stumbling in the dark until you learn how you learn in the first place.


I'm struggling to understand your highly educated response --- but what I think you're trying to say is that a generic, transparent proxy with TLS termination is simply not technically possible in your opinion?

Something like the below simply can not be used to implement a MITM?

https://www.charlesproxy.com/

Because if it can, the entire concept of using TLS to protect against MITM is pure BS --- in my uneducated opinion.


> "can not be used to implement a MITM"

Anything is possible if you give the permissions and certs.

The Charles proxy CAN act in as a MITM, but you have to install Custom Certs on your computer (requires admin permissions).

This is similar to how a password set by someone else won't protect your documents from that person. Don't let them set the password on your computer.

"In Charles go to the Help menu and choose "SSL Proxying > Install Charles Root Certificate". Keychain Access will open. Find the "Charles Proxy..." entry, and double-click to get info on it. Expand the "Trust" section, and beside "When using this certificate" change it from "Use System Defaults" to "Always Trust". Then close the certificate info window, and you will be prompted for your Administrator password to update the system trust settings." [1]

1: https://www.charlesproxy.com/documentation/using-charles/ssl...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: