Hacker News new | ask | show | jobs
by mhils 3049 days ago
captn3m0 is proposing that you use the server name from the TLS ClientHello message (it's in the SNI extension) to determine if a website should be blocked, and if not, you don't perform a man-in-the-middle attack but just forward traffic. A major advantage is that you don't need to install the cert on the client unless you also want to display error messages for blacklisted sites.
1 comments
aniketpanjwani 3049 days ago
I see - it would be pretty nice to not have to install certificates. However, I kind of like mitmproxy, and I'd rather not get rid of it if I don't have to. A couple questions:

1. Would it be possible to do this through mitmproxy? You are the person to ask, after all :P .

2. Does this approach allow you to also filter sites which use certificate pinning? That seems more important, since it would be a practical advantage, rather than simply more convenient installation.

3. Could you filter at the URL level with SNI, e.g. block amazon.com/gp/video/*, but not block the rest of amazon.com? From what I've just started reading about SNI, you would only see "amazon.com" and nothing else.

link
mhils 3049 days ago
1. You can `--ignore` specific domains in mitmproxy, and since the ignore pattern is a regex you should be able to construct something that says "ignore everything but those domains" (the ones you then want to block).

2. I think this should answer it: http://docs.mitmproxy.org/en/stable/features/passthrough.htm...

3. No, you only see the hostname.

link