Killing ads with the LAN-level Privoxy web proxy

What About TLS?

How do you successfully perform a MITM attack against a connection that is encrypted to prevent MITM attacks? Most websites nowadays serve their content using HTTPS, with SSL or TLS encryption, even if that content is not sensitive. HTTPS was explicitly designed to prevent MITM actions. Privoxy cannot break HTTPS in order to look at the contents of the websites the client is visiting and take actions on them, such as modifying harmful JavaScript code before sending it to the client, without generating lots of security warnings in the client's web browser.

It is still possible to use Privoxy and an MITM attack to decrypt the traffic, analyze it, process it, and send it to the client without triggering security warnings. However, the way to achieve this is ugly and requires the collaboration of the client.

The process works as follows: The administrator creates a CA certificate for internal use and installs it in the clients whose connections he intends to make go through the proxy. Then a corresponding private key is installed in the intercepting proxy. When a browser tries to access an HTTPS site and the connection is intercepted, the proxy generates a fake certificate on the fly using the key, which is trusted by the client, and reads the request. Then the proxy fetches the website normally over HTTPS, processes its contents, and sends its output to the client browser using the spoofed connection.

This approach is controversial because it breaks the assumption that TLS connections are not modified by any intermediary on the network. Privoxy does not support this sort of interception out of the box, although there is a lot of demand for it, according to the project mailing list. However, Privoxy can be chained up with an HTTPS interception mechanism such as ProxHTTPSProxy [9].

In normal conditions, Privoxy is only capable of making limited filtering when dealing with HTTPS connections, and only if the client is actively using the proxy instead of being intercepted.

Final Considerations

A proxy service can greatly improve the web browsing experience. However, using a proxy introduces a new set of problems.

The first issue is that, in order to visit a website using Privoxy, the proxy has to download it, process it, possibly rewrite its code, and then send the page to the client once it has been fully processed. Most web browsers are designed to download the components of a website once a user attempts to visit it and start displaying these components as they become available. Privoxy, on the other hand, has to download the whole site and process it, and then send it all at once to the browser. The result is that a site might look unresponsive while it is loading.

The default filters and blocklists included with Privoxy are designed not to break websites. That said, they are not as powerful as browser-based blockers such as uBlock Origin. Custom rules may be added in order to suit your needs, but if you do something wrong, you may end up breaking some websites.

It is usually a good idea to use Privoxy with a caching proxy. A caching proxy is a regular proxy that is able to catch requests and keep local copies of the websites the users visit, so it is not necessary to download them every time a user attempts access them. Squid [10] is probably the best known FOSS caching web proxy.

The steps described in this article for implementing a proxy server that is capable of processing websites that use HTTPS in interception mode require a lot of work, and it is recommended that you complement this setup with DNS blocking.

Privoxy is very configurable and surprisingly powerful. You can even hack Privoxy into removing EU cookie warnings and performing other clever tricks. For more information on Privoxy, see the project documentation [11].

Infos

  1. uBlock Origin: https://github.com/gorhill/uBlock
  2. Adblock Plus: https://adblockplus.org/
  3. Privoxy: https://www.privoxy.org/
  4. "Setting up a local DNS server with Unbound" by Rubén Llorente, Linux Magazine, issue 227, October 2019, http://www.linux-magazine.com/Issues/2019/227/Local-DNS-with-Unbound
  5. StevenBlack DNS blacklist: https://github.com/StevenBlack/hosts
  6. EasyList advertisers blacklist: https://easylist.to/
  7. How to configure Android to use a proxy server: https://hide-ip-proxy.com/configure-proxy-server-android/
  8. How to configure Windows 10 to use a proxy server: https://pureinfotech.com/setup-proxy-server-windows-10/
  9. ProxHTTPSProxy: https://github.com/wheever/ProxHTTPSProxyMII
  10. Squid: http://www.squid-cache.org/
  11. Privoxy documentation: https://www.privoxy.org/user-manual/index.html

The Author

Rubén Llorente is a mechanical engineer, whose job is to ensure that the security measures of the IT infrastructure of a small clinic are both law compliant and safe. In addition, he is an OpenBSD enthusiast and a weapon collector.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Web Filters

    Content filters protect a web user’s privacy and keep the flood of unsolicited advertising at bay. We’ll show you a pair of popular Open Source content filters.

  • Tor and Privoxy

    Internet users typically reveal their IP addresses, and this lets companies compile a profile of your Internet activities. Tor and Privoxy can help protect your privacy.

  • Squid at Home

    Are your children wearing out their eyeballs on the Internet? Squid will help you impose some time limits and filter out inappropriate content.

  • New Protech Linux Distribution Released

    The first stable version of the new Protech Linux distribution, which includes various security tools, has just been released.

  • upribox 2.0: secure communication on the Internet

    Upribox 2.0 acts as a router and filters both trackers and ads, saving you the annoying task of manually hardening your web browser with countless add-ons.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News