Hacker News new | ask | show | jobs
by heroprotagonist 2878 days ago
I wonder how tricky it'd be to serve a local copy of google analytics code that simply didn't report back to them. Or perhaps just redirect outgoing requests from GA to some internal resource that collects (for yourself instead of google) or drops the data and returns an expected response.

Then there would be no need to unblock their trackers to make websites function.
3 comments
organsnyder 2878 days ago
Due to SSL, it wouldn't be easy: you'd need to have SSL certs for some google.com subdomains, and they'd need to be trusted by every device. Blocking the traffic is much easier.
link
heroprotagonist 2878 days ago
You're right that you'd need to trust the certificates on each machine, but really, you only need to trust a single CA on each device. With an SSL-replacing proxy you create and give control of a CA certificate and key to the proxy and set it between your computer and the network. It replaces the certificate of any (or some small subset if you want to specifically target) site with its own on the fly. Then it can inspect and manipulate the contents of that communication. If the machine trusts the CA, and the CA trusts the certificate (because it replaced and signed the cert itself.. so not so much trust, but.. you get the idea. You could probably limit it to certs signed by CA known by your browsers), the machines would trust the certificates.

Enforcing use of the proxy could even be automatic if your router supports it. eg, LEDE can redirect all traffic outbound to WAN on 443 through a specific endpoint (your MITM proxy or pi-hole or whatever).

It might be problematic for guests who have never seen the CA before, but that's what guest networks are for, I guess.

I've seen this technique used by some large multinational and security-sensitive companies to help monitor data egress from their networks. Probably via some overly-expensive software, but the software doesn't have to be expensive. They tend to have better automation systems than your typical home user, though.

However, for a small network, it's fairly straight-forward to get a CA certificate onto each device. If it's you or a few people on individual machines you or a few people you can add it manually in less than a minute on each. Or for the larger case there are automation tools.

One such open source project for an SSL replacing proxy:

https://mitmproxy.org/

> Write powerful addons and script mitmproxy with mitmdump. The scripting API offers full control over mitmproxy and makes it possible to automatically modify messages, redirect traffic, visualize messages, or implement custom commands

I'm sure there's a way to make this live side-by-side with pi-hole or something similar, but I unfortunately have other things on my plate.. Would make an interesting weekend project someday, though.

link
EvilEndures 2878 days ago
The only way to do it is to have admin/root on all the devices so you can install your own SSL root certs and "steal" google's domain internally with suitable certs.

It can be done but not in a BYOD situation.

link
DavideNL 2878 days ago
Sounds a little like the “decentraleyes” extension...

https://git.synz.io/Synzvato/decentraleyes

link