Killing ads with the LAN-level Privoxy web proxy
What About TLS?
How do you successfully perform a MITM attack against a connection that is encrypted to prevent MITM attacks? Most websites nowadays serve their content using HTTPS, with SSL or TLS encryption, even if that content is not sensitive. HTTPS was explicitly designed to prevent MITM actions. Privoxy cannot break HTTPS in order to look at the contents of the websites the client is visiting and take actions on them, such as modifying harmful JavaScript code before sending it to the client, without generating lots of security warnings in the client's web browser.
It is still possible to use Privoxy and an MITM attack to decrypt the traffic, analyze it, process it, and send it to the client without triggering security warnings. However, the way to achieve this is ugly and requires the collaboration of the client.
The process works as follows: The administrator creates a CA certificate for internal use and installs it in the clients whose connections he intends to make go through the proxy. Then a corresponding private key is installed in the intercepting proxy. When a browser tries to access an HTTPS site and the connection is intercepted, the proxy generates a fake certificate on the fly using the key, which is trusted by the client, and reads the request. Then the proxy fetches the website normally over HTTPS, processes its contents, and sends its output to the client browser using the spoofed connection.
This approach is controversial because it breaks the assumption that TLS connections are not modified by any intermediary on the network. Privoxy does not support this sort of interception out of the box, although there is a lot of demand for it, according to the project mailing list. However, Privoxy can be chained up with an HTTPS interception mechanism such as ProxHTTPSProxy [9].
In normal conditions, Privoxy is only capable of making limited filtering when dealing with HTTPS connections, and only if the client is actively using the proxy instead of being intercepted.
Final Considerations
A proxy service can greatly improve the web browsing experience. However, using a proxy introduces a new set of problems.
The first issue is that, in order to visit a website using Privoxy, the proxy has to download it, process it, possibly rewrite its code, and then send the page to the client once it has been fully processed. Most web browsers are designed to download the components of a website once a user attempts to visit it and start displaying these components as they become available. Privoxy, on the other hand, has to download the whole site and process it, and then send it all at once to the browser. The result is that a site might look unresponsive while it is loading.
The default filters and blocklists included with Privoxy are designed not to break websites. That said, they are not as powerful as browser-based blockers such as uBlock Origin. Custom rules may be added in order to suit your needs, but if you do something wrong, you may end up breaking some websites.
It is usually a good idea to use Privoxy with a caching proxy. A caching proxy is a regular proxy that is able to catch requests and keep local copies of the websites the users visit, so it is not necessary to download them every time a user attempts access them. Squid [10] is probably the best known FOSS caching web proxy.
The steps described in this article for implementing a proxy server that is capable of processing websites that use HTTPS in interception mode require a lot of work, and it is recommended that you complement this setup with DNS blocking.
Privoxy is very configurable and surprisingly powerful. You can even hack Privoxy into removing EU cookie warnings and performing other clever tricks. For more information on Privoxy, see the project documentation [11].
Infos
- uBlock Origin: https://github.com/gorhill/uBlock
- Adblock Plus: https://adblockplus.org/
- Privoxy: https://www.privoxy.org/
- "Setting up a local DNS server with Unbound" by Rubén Llorente, Linux Magazine, issue 227, October 2019, http://www.linux-magazine.com/Issues/2019/227/Local-DNS-with-Unbound
- StevenBlack DNS blacklist: https://github.com/StevenBlack/hosts
- EasyList advertisers blacklist: https://easylist.to/
- How to configure Android to use a proxy server: https://hide-ip-proxy.com/configure-proxy-server-android/
- How to configure Windows 10 to use a proxy server: https://pureinfotech.com/setup-proxy-server-windows-10/
- ProxHTTPSProxy: https://github.com/wheever/ProxHTTPSProxyMII
- Squid: http://www.squid-cache.org/
- Privoxy documentation: https://www.privoxy.org/user-manual/index.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.