rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard

Published 20 hours ago verified publisher icon celzero

User feedback: HTTPS Filtering

Open ignoramous opened this issue 4 years ago • 3 comments

MiTM HTTPS traffic [0] to block content users don't want seen ever on their devices. Will not work with apps that pin certificates without some elaborate gymnastics, so that's there too.

[0] https://kb.adguard.com/en/general/https-filtering

ignoramous avatar Aug 29 '20 17:08 ignoramous

Another problem could be that apps since API 24 by default don't trust user-added certificates. An app has to opt into trusting them. https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

Maybe there is a way around that by using root and adding the CA to the system CAs.

Ch4t4r avatar Sep 01 '20 14:09 Ch4t4r

A user writes:

Kinda disagree with your points

  1. I use AdGuard for Android with https filtering and barely notice an increase in battery usage (app reports 0.17% battery usage in last 24 hours).
  2. Decryption is done locally, no traffic is sent to remote servers so it's a mitm but on my own machine done by me. I prefer this than having unwanted 3rd parties used by my bank spying on my banking habits (for a service you often pay for).
  3. Extensions are often not available on mobile browsers (except Firefox, Kiwi or Yandex for example) and when they are options are pretty limited. uBlock Origin can't change my user-agent, remove tracking parameters from URLs or work in other apps. Plus, browser estensions are limited by browser capabilities which will always be abused by advertisers, malware and the likes. A dedicated app bypasses those restrictions.

But the initial goal of rdns was censorship circumvention and I understand you might limit its scope to dns/firewall

ignoramous avatar Apr 16 '21 22:04 ignoramous

Ground work for http-filtering has been laid, but no guarantees as to when or if we do implement it: https://github.com/celzero/firestack/commit/7734c4508f15d6b10f2c0b55efccb542ea34a2f0

ignoramous avatar Aug 27 '21 10:08 ignoramous

If you do this, I think supporting ublock origin filter lists and script let's would be the way to go as source for filter lists To prevent breaking apps and sites you should have whitelisting for hosts whose certificates are pinned by the app. The more automated that is the better the user experience will be.

yoshimo avatar Apr 20 '23 20:04 yoshimo

You can get some inspiration from https://github.com/emanuele-f/PCAPdroid which uses https://github.com/emanuele-f/PCAPdroid-mitm to install a module that accomplishes this.

If you break connections open you should log the tls master secret as SSLKEYLOGFILE, add it to the pcap (the pcapng format allows for this and offer the user to save an already decrypted pcap.

yoshimo avatar May 06 '23 13:05 yoshimo

Thanks. PCAPdroid is GPL which is incompatible with the Apache v2 License Rethink uses. That said, PCAPdroid runs MiTMProxy (written in python) which is something we'd want to avoid, given the already bloated nature of our app.

ignoramous avatar May 06 '23 16:05 ignoramous

It is just a demonstration how you could do it, not only code to Copy :)

yoshimo avatar May 06 '23 16:05 yoshimo

a h1/h2 mitmproxy (no other alpns or h2) in go: https://github.com/projectdiscovery/martian/ (usage)

ignoramous avatar Sep 16 '23 23:09 ignoramous