If you’re a very security-minded individual (or you use your computer for very sensitive tasks), before using Incoggo you may want to be aware that the application does the following:
Upon installation, Incoggo adds a file to your system’s sudoers.d folder that whitelists specific commands from requiring a sudo password to perform. (This allows Incoggo to manage your system proxy settings, kill certain processes on shutdown / restart, and perform tasks related to Incoggo’s auto-updating feature without requiring that a sudo password be prompted each time.)
Incoggo loads external Javascript files when you visit specific domains (i.e. those we filter paywalls / clear cookies on / clear storage on / etc.).
Incoggo overwrites a few system defaults (re: open page / process limits) at runtime for performance reasons.
Upon installation, Incoggo also installs a trusted root certificate in your system keystore. This is required for Incoggo’s advanced filtering functionality to work (unlike the issues above – which we intend to clean up shortly – this one is a hard requirement for the app to work).
It's hard for me to understand how and why you are developing an app and a website and all the other stuff for free, then I read your privacy policy and maybe I'm understand: https://incoggo.com/privacy/
Anyway thanks for the effort and the transparency, I'll consider to install it on a secondary browser just for read some articles.
TL;DR - we can unblock a lot of things with this approach that browser extensions can't; it also works across all browsers (esp. relevant for Safari users).
Digging in, there are a few reasons actually - first is, Chrome removes extensions with this kind of functionality from the Web Store constantly (only option would be to sideload).
Under the hood, Incoggo is also actually a local proxy (it adds a trusted root cert during the install process - we have some details on this / other potential issues / concerns on our forum). Reason for this being, Chrome extensions can't modify inbound requests in the way that's required to unblock several of the publications we support (NYT, Bloomberg, WaPo being key examples).
Sideloading would frankly make more sense to me. As it is, there are so many "gotchas" that I wouldn't be inclined to daily-drive this, especially since my Macbook sits in my drawer collecting dust. Plus, a lot of these security concerns aren't just minor whoopsies: adding lines to my sudoers file? That's not a practice that should be normalized for something like this. You're shaving an awful lot of yak for something that should have a more streamlined approach in the first place. If Safari causes you issues, I have no idea why you'd kowtow to a single browser with a fraction of the desktop browsing market share, throwing the rest of the options by the wayside. Maybe I'm coming at this from a different point of view, but you're cutting an awful lot of people out just to get an MVP that works for you. Hopefully some day Incog gets a more agnostic, safe implimentation.
Yeah that's totally fair & we try to be pretty upfront about the issues (FAQ + forum). There's definitely a lot of bubblegum and duct-tape on this at the moment - been putting a lot of work in to fix the bigger issues ASAP (been modeling a lot off the AdGuard approach / targeting parity).
Really making the longer-term bet here that with a lot of work, the underlying proxy infrastructure will enable a lot of really interesting possibilities, and the shorter-term bet that with this approach we can create the best / most effective adblocker for paywalls by far.
> it adds a trusted root cert during the install process
That's a non-starter for me. I do not want an application to be able to MITM all traffic.
Surely you just need to be able to MITM certain domains (the ones of the paywalled websites you unblock), can't you just create individual self-signed certificates for those and trust them one by one?
That's understandable - if you'd like a work around for now, the app has a 'pause' feature (which, if active, will cease to proxy traffic completely - you can just turn it on briefly as needed, then 'pause' it after loading the article).
The reason for the root cert is that in short order (after cleaning up our infra, etc.) we're actually planning to expand to a full-spectrum adblocker.
Thinking about possible cat and mouse between such a solution and advertisement strategists would keeping your tactics hidden slow down countering by such advert vendors ?
So as a few people have asked, this actually lets us use a variety of client-side unblocking techniques (like inbound request modification) that browser extensions can't (due to extension API limitations), and effectively unblock publications that the browser extensions don't (can't) — think major ones like WaPo and Bloomberg. The app also works across all browsers, not just Chrome / Firefox. As an aside, due to limitations caused by how cellular networks handle IPs, it's next to impossible for these sites to implement IP-based metering without severe adverse side effects, but the proxy does give very fine-grained control over how the user is presented to the end-site (including apparent IP address).
Right now, we don't make money or monetize at all, and are still exploring options. For the foreseeable future, we're 100% focused on growth and plan to raise VC funding to sustain operations. Ultimately, we want to find a monetization solution that works well for everyone and keeps our interests aligned with the best interest of our users.
This is really cool, but I don't really get why full MITM is needed when all the paywall code is executed in the browser.
If news sites started using methods outside the browser for determining if you have access, like allowlisting IP addresses, how could this bypass that?
Projects like bypass-paywalls-chrome [1] (which works on firefox) get the job done just fine. Is there really a scenario where this is needed to unblock a website?
Additionally, parts of the privacy policy strongly implying browsing history is collected and sold - although I may have misinterpreted this. My apologies if so.
"Information We Collect When You Use... the Desktop Application... [we collect] your web browsing history (URLs that you visit)... [and] WE USE THE INFORMATION WE COLLECT... To generate and share aggregated, anonymized, or de-identified information about the web browsing activity of all of our users with our partners and other third parties for marketing, advertising, research, or similar purposes" [2].
It's a 'local proxy' - meaning it runs entirely on your device, and filters network traffic. Beyond this, there are a wide variety of client-side filtering techniques that we use; we mix and match these based on the specific implementation of each publication (they're all pretty different in practice).
I really hope they unblock Steam too, so I can click "play now" and not have to pay for the game. Spotify blocking would be nice too, since why should I have to pay for a digital asset? All these roadblocks just make it harder for me to access their content. What a slog!
From https://incoggo.com/faq/