I'm not really sure what it means to use SNI and TCP-passthru instead of MITM. Could you expand a bit? In particular, what would be the advantage of this approach? I'm really a novice when it comes to computer networking - I learned everything I know on the topic in the process of creating Chomper.
captn3m0 is proposing that you use the server name from the TLS ClientHello message (it's in the SNI extension) to determine if a website should be blocked, and if not, you don't perform a man-in-the-middle attack but just forward traffic. A major advantage is that you don't need to install the cert on the client unless you also want to display error messages for blacklisted sites.
I see - it would be pretty nice to not have to install certificates. However, I kind of like mitmproxy, and I'd rather not get rid of it if I don't have to. A couple questions:
1. Would it be possible to do this through mitmproxy? You are the person to ask, after all :P .
2. Does this approach allow you to also filter sites which use certificate pinning? That seems more important, since it would be a practical advantage, rather than simply more convenient installation.
3. Could you filter at the URL level with SNI, e.g. block amazon.com/gp/video/*, but not block the rest of amazon.com? From what I've just started reading about SNI, you would only see "amazon.com" and nothing else.
1. You can `--ignore` specific domains in mitmproxy, and since the ignore pattern is a regex you should be able to construct something that says "ignore everything but those domains" (the ones you then want to block).