However, neither of these programs support Linux, and the only similar program hasn't been developed in over 7 years (http://svn.jklmnop.net/projects/SelfControl.html). So, I wrote Chomper. Any feedback is appreciated, but what's most useful is if you try installing it and tell me if you like it!
2. In both Firefox and Chrome, you can enter Private Browsing/Incognito mode, where extensions are automatically disabled, so you'll be able to evade blocks. It doesn't matter if you're in incognito mode while Chomper is running - you'll still get blocked.
3. It's usually trivially easy to disable or uninstall browser extensions. Chomper is marginally more difficult to disable when you have root privileges. However, unlike browser extensions, you have the option of tying your hands so that it is entirely impossible to remove a block (https://github.com/aniketpanjwani/chomper#hardcore-mode).
I'm not really sure what it means to use SNI and TCP-passthru instead of MITM. Could you expand a bit? In particular, what would be the advantage of this approach? I'm really a novice when it comes to computer networking - I learned everything I know on the topic in the process of creating Chomper.
captn3m0 is proposing that you use the server name from the TLS ClientHello message (it's in the SNI extension) to determine if a website should be blocked, and if not, you don't perform a man-in-the-middle attack but just forward traffic. A major advantage is that you don't need to install the cert on the client unless you also want to display error messages for blacklisted sites.
I see - it would be pretty nice to not have to install certificates. However, I kind of like mitmproxy, and I'd rather not get rid of it if I don't have to. A couple questions:
1. Would it be possible to do this through mitmproxy? You are the person to ask, after all :P .
2. Does this approach allow you to also filter sites which use certificate pinning? That seems more important, since it would be a practical advantage, rather than simply more convenient installation.
3. Could you filter at the URL level with SNI, e.g. block amazon.com/gp/video/*, but not block the rest of amazon.com? From what I've just started reading about SNI, you would only see "amazon.com" and nothing else.
1. You can `--ignore` specific domains in mitmproxy, and since the ignore pattern is a regex you should be able to construct something that says "ignore everything but those domains" (the ones you then want to block).
Asking the right questions. :-) This is based on mitmproxy, so upstream certificates should be verified by default. I haven't played around with Chomper, but we have extensive tests for this in mitmproxy.
To be clear, compared to browsers you do loose some advanced mechanisms such as HPKP, Certificate Transparency log enforcement, Extended Validation certs, or revocation checking. I don't want to downplay this, but I would argue that this is not too significant for the average user, whereas mitmproxy is often a substantial improvement over what other non-browser software is doing.
There are some websites which due to certificate pinning will not be properly filtered through the proxy (http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...). For example, while Chomper is running, even if Dropbox is not on a blacklist, it probably will not properly sync. Eventually, I'll add the ability to make exceptions for these websites if desired.
It's been ad-hoc tested on my computer and on a fresh Linux installation. There's really no components right now worth unit testing, since it was really just a lot of configuration work. Once I start adding more complicated filter rules, I'll write formal unit tests.
However, neither of these programs support Linux, and the only similar program hasn't been developed in over 7 years (http://svn.jklmnop.net/projects/SelfControl.html). So, I wrote Chomper. Any feedback is appreciated, but what's most useful is if you try installing it and tell me if you like it!