zlacker

[parent] [thread] 6 comments
1. labcom+(OP)[view] [source] 2023-02-23 23:42:25
But:

1. couldn’t you “just” (yea yea I know) install a cert on all your devices and force all 443 traffic though a proxy (like some corporate networks do)?

2. (Something I’ve been meaning to get around to trying for a while) default-block outgoing connections unless unless the external host was recently resolved for the corresponding internal host via your internal resolver? That seems like it would kill anything that tries to avoid your ad-blocking resolver. It seems like that might block hard-coded addresses too, but that could be a good thing..

replies(2): >>JohnFe+a8 >>Sophir+k8
2. JohnFe+a8[view] [source] 2023-02-24 00:32:35
>>labcom+(OP)
> force all 443 traffic though a proxy

That's insufficient. There's nothing stopping a web site (or ad on a website) from forming its own DoH request that bypasses the browser and the port. It can be done entirely within the HTTPS stream.

replies(1): >>tsimio+HS
3. Sophir+k8[view] [source] 2023-02-24 00:34:12
>>labcom+(OP)
The biggest problem with 1) is that you lose the ability for your browser to perform checks on the certificate. If the certificate fails, the only option is to deny the connection. (Or fake it and return an error page but that can have unintended consequences.)

And with 2), that would work, though you'd probably want to whitelist port 53 so that you can resolve names in the first place. Sounds like it should be effective, though.

replies(2): >>d110af+4v >>zo1+Up1
◧◩
4. d110af+4v[view] [source] [discussion] 2023-02-24 03:27:04
>>Sophir+k8
Those checks are then performed on the MITM device. Instead of an error page the device could return the same sort of page that your browser would otherwise display for you. The connection has been MITM'd after all.
◧◩
5. tsimio+HS[view] [source] [discussion] 2023-02-24 07:21:27
>>JohnFe+a8
If you're monitoring the HTTPS stream, you'll see it. The point of the proxy is exactly to inspect the content of HTTPS requests (that's why you need to install your own certificate).
replies(1): >>JohnFe+XT1
◧◩
6. zo1+Up1[view] [source] [discussion] 2023-02-24 12:46:15
>>Sophir+k8
A successful mitm with an injected trusted cert should appear 100% valid to the browser. That's the point. According to your device setup the connection has not been tampered because you as the device owner allowed a new root cert to be trusted.

The rest is just fear mongering, I'm sorry, not sure how to phrase that more elegantly or politely. I'm not an uber smart domain expert wrt certs, but we shouldn't have to be to know that valid device MITM with certs is a normal use case. And it shouldn't be used as a boogeyman man on layman users.

◧◩◪
7. JohnFe+XT1[view] [source] [discussion] 2023-02-24 15:56:45
>>tsimio+HS
Yes, exactly. That's what I do -- I MITM all HTTPS streams for this purpose.
[go to top]