[aniketpanjwani]

I'm not really sure what it means to use SNI and TCP-passthru instead of MITM. Could you expand a bit? In particular, what would be the advantage of this approach? I'm really a novice when it comes to computer networking - I learned everything I know on the topic in the process of creating Chomper.

[mhils]

captn3m0 is proposing that you use the server name from the TLS ClientHello message (it's in the SNI extension) to determine if a website should be blocked, and if not, you don't perform a man-in-the-middle attack but just forward traffic. A major advantage is that you don't need to install the cert on the client unless you also want to display error messages for blacklisted sites.

[aniketpanjwani]

I see - it would be pretty nice to not have to install certificates. However, I kind of like mitmproxy, and I'd rather not get rid of it if I don't have to. A couple questions:

1. Would it be possible to do this through mitmproxy? You are the person to ask, after all :P .

2. Does this approach allow you to also filter sites which use certificate pinning? That seems more important, since it would be a practical advantage, rather than simply more convenient installation.

3. Could you filter at the URL level with SNI, e.g. block amazon.com/gp/video/*, but not block the rest of amazon.com? From what I've just started reading about SNI, you would only see "amazon.com" and nothing else.

[mhils]

1. You can `--ignore` specific domains in mitmproxy, and since the ignore pattern is a regex you should be able to construct something that says "ignore everything but those domains" (the ones you then want to block).

2. I think this should answer it: http://docs.mitmproxy.org/en/stable/features/passthrough.htm...

3. No, you only see the hostname.