However, neither of these programs support Linux, and the only similar program hasn't been developed in over 7 years (http://svn.jklmnop.net/projects/SelfControl.html). So, I wrote Chomper. Any feedback is appreciated, but what's most useful is if you try installing it and tell me if you like it!
2. In both Firefox and Chrome, you can enter Private Browsing/Incognito mode, where extensions are automatically disabled, so you'll be able to evade blocks. It doesn't matter if you're in incognito mode while Chomper is running - you'll still get blocked.
3. It's usually trivially easy to disable or uninstall browser extensions. Chomper is marginally more difficult to disable when you have root privileges. However, unlike browser extensions, you have the option of tying your hands so that it is entirely impossible to remove a block (https://github.com/aniketpanjwani/chomper#hardcore-mode).
I'm not really sure what it means to use SNI and TCP-passthru instead of MITM. Could you expand a bit? In particular, what would be the advantage of this approach? I'm really a novice when it comes to computer networking - I learned everything I know on the topic in the process of creating Chomper.
captn3m0 is proposing that you use the server name from the TLS ClientHello message (it's in the SNI extension) to determine if a website should be blocked, and if not, you don't perform a man-in-the-middle attack but just forward traffic. A major advantage is that you don't need to install the cert on the client unless you also want to display error messages for blacklisted sites.
I see - it would be pretty nice to not have to install certificates. However, I kind of like mitmproxy, and I'd rather not get rid of it if I don't have to. A couple questions:
1. Would it be possible to do this through mitmproxy? You are the person to ask, after all :P .
2. Does this approach allow you to also filter sites which use certificate pinning? That seems more important, since it would be a practical advantage, rather than simply more convenient installation.
3. Could you filter at the URL level with SNI, e.g. block amazon.com/gp/video/*, but not block the rest of amazon.com? From what I've just started reading about SNI, you would only see "amazon.com" and nothing else.
1. You can `--ignore` specific domains in mitmproxy, and since the ignore pattern is a regex you should be able to construct something that says "ignore everything but those domains" (the ones you then want to block).
Asking the right questions. :-) This is based on mitmproxy, so upstream certificates should be verified by default. I haven't played around with Chomper, but we have extensive tests for this in mitmproxy.
To be clear, compared to browsers you do loose some advanced mechanisms such as HPKP, Certificate Transparency log enforcement, Extended Validation certs, or revocation checking. I don't want to downplay this, but I would argue that this is not too significant for the average user, whereas mitmproxy is often a substantial improvement over what other non-browser software is doing.
There are some websites which due to certificate pinning will not be properly filtered through the proxy (http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...). For example, while Chomper is running, even if Dropbox is not on a blacklist, it probably will not properly sync. Eventually, I'll add the ability to make exceptions for these websites if desired.
It's been ad-hoc tested on my computer and on a fresh Linux installation. There's really no components right now worth unit testing, since it was really just a lot of configuration work. Once I start adding more complicated filter rules, I'll write formal unit tests.
Chomper is an internet blocker for helping prevent procrastination/mindless web surfing. It's in the same vein as Cold Turkey (https://getcoldturkey.com/) or SelfControl (https://selfcontrolapp.com/).
However, neither of these programs support Linux, and the only similar program hasn't been developed in over 7 years (http://svn.jklmnop.net/projects/SelfControl.html). So, I wrote Chomper. Any feedback is appreciated, but what's most useful is if you try installing it and tell me if you like it!
How is it better than any Firefox/Chrome extension (like say Leech block)?
Great question.
1. It's browser independent. You have to import security certificates for each browser, but this is a step which will eventually be automated (https://github.com/aniketpanjwani/chomper/issues/8).
2. In both Firefox and Chrome, you can enter Private Browsing/Incognito mode, where extensions are automatically disabled, so you'll be able to evade blocks. It doesn't matter if you're in incognito mode while Chomper is running - you'll still get blocked.
3. It's usually trivially easy to disable or uninstall browser extensions. Chomper is marginally more difficult to disable when you have root privileges. However, unlike browser extensions, you have the option of tying your hands so that it is entirely impossible to remove a block (https://github.com/aniketpanjwani/chomper#hardcore-mode).
> entirely impossible
You severely underestimate us procrastinators. We'd sooner wipe our disk than work. ;-)
Instead of a proxy that does MITM, how about one that uses SNI instead and does TCP-passthru if the domain is not on the blacklist?
I'm not really sure what it means to use SNI and TCP-passthru instead of MITM. Could you expand a bit? In particular, what would be the advantage of this approach? I'm really a novice when it comes to computer networking - I learned everything I know on the topic in the process of creating Chomper.
captn3m0 is proposing that you use the server name from the TLS ClientHello message (it's in the SNI extension) to determine if a website should be blocked, and if not, you don't perform a man-in-the-middle attack but just forward traffic. A major advantage is that you don't need to install the cert on the client unless you also want to display error messages for blacklisted sites.
I see - it would be pretty nice to not have to install certificates. However, I kind of like mitmproxy, and I'd rather not get rid of it if I don't have to. A couple questions:
1. Would it be possible to do this through mitmproxy? You are the person to ask, after all :P .
2. Does this approach allow you to also filter sites which use certificate pinning? That seems more important, since it would be a practical advantage, rather than simply more convenient installation.
3. Could you filter at the URL level with SNI, e.g. block amazon.com/gp/video/*, but not block the rest of amazon.com? From what I've just started reading about SNI, you would only see "amazon.com" and nothing else.
1. You can `--ignore` specific domains in mitmproxy, and since the ignore pattern is a regex you should be able to construct something that says "ignore everything but those domains" (the ones you then want to block).
2. I think this should answer it: http://docs.mitmproxy.org/en/stable/features/passthrough.htm...
3. No, you only see the hostname.
How does the MITM behaviour handle certificate failure? Has this been tested?
Asking the right questions. :-) This is based on mitmproxy, so upstream certificates should be verified by default. I haven't played around with Chomper, but we have extensive tests for this in mitmproxy.
To be clear, compared to browsers you do loose some advanced mechanisms such as HPKP, Certificate Transparency log enforcement, Extended Validation certs, or revocation checking. I don't want to downplay this, but I would argue that this is not too significant for the average user, whereas mitmproxy is often a substantial improvement over what other non-browser software is doing.
Chomper is essentially a wrapper around mitmproxy - http://docs.mitmproxy.org/en/stable/ (albeit a large wrapper). When mitmproxy first runs, it generates certificates into ~/.mitmproxy (http://docs.mitmproxy.org/en/stable/certinstall.html). One of the steps of the instructions is to add these certificates to your browser as trusted authorities (https://github.com/aniketpanjwani/chomper#installation), though in the future this step will be automated.
There are some websites which due to certificate pinning will not be properly filtered through the proxy (http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...). For example, while Chomper is running, even if Dropbox is not on a blacklist, it probably will not properly sync. Eventually, I'll add the ability to make exceptions for these websites if desired.
It's been ad-hoc tested on my computer and on a fresh Linux installation. There's really no components right now worth unit testing, since it was really just a lot of configuration work. Once I start adding more complicated filter rules, I'll write formal unit tests.
Does that answer your questions?