Having just posted the app to a couple of small subreddits before sleep and then waking up to being on the front page over here is quite an experience :) I was hoping to make a Show HN post after giving Zen a bit more polish, but I guess here we are.
Thanks for all the constructive feedback. I totally share your concerns about its security and likewise wouldn't use some unverified application trying to install a root CA on my system. For those wanting to audit the certificate generation and installation code, feel free to take a look at certmanager/get.go and certmanager/install_{platformname}.go. It is mostly self-contained and, I hope, easy to understand. The lack of any instructions on how to delete the certificate is an oversight on my part, and I'll be working on this. Regarding the binaries: all of them are built on GitHub's CI. I wish there was a way for users to verify this fact, but to my knowledge, there is no way to do that currently. You can run and build the app yourself using Wails (https://wails.io/docs/gettingstarted/installation). I'll be sure to add more instructions to the repo in the coming days.
As always, any feedback, help, and suggestions are much welcome.
Thank you for starting this project. There is a bit of overall negativity in this thread from users who don't fully understand what is going on here, but please don't get discouraged. This is ultimately the correct approach to addressing browsers that have a financial interest in serving ads.
Thank you for your work. I appreciate it very much. Please don’t be down motivation by the negative comments.
About your comment of security, I think it’s better to make a FAQ file and write it there to clearly explain.
And one suggestion is I hope zen will have function to choose upstream DNS server (can be DoH or DoT server). It will be the best block ads with combo DNS and HTTPS.
I'm comfortable with a DNS based blocker (pi-hole) and it seems to work quite well. Bonus: It works across all devices on the network, rather than installing something onto the OS.
I seem to end up regretting anything I do at the network level to block traffic. It always seems to pop up that one weird time I actually do need something from a blocked domain to load, and it takes me way too long to remember that's what I did to block it.
I recommend adding a tray icon that disables it for 60 seconds (super helpful for the odd site that serves something critical from an ads domain… like my bank).
Only downside is apps don’t have to use system DNS and a few mobile ones are wise enough to bypass.
I don't mind PiHole, but it doesn't do nearly as good a job of ad blocking as a "real" browser plugin does.
The amount of crap that still comes through when I turn off uBlock -- but am still using PiHole DNS, which is always active on my home network -- is a lot.
Honestly I don't think DNS-based adblocking is really viable, long-term. It's just too easy for advertisers and dirtbag website operators to get around it. There's just no substitute for controlling the retrieval of content elements and their presentation from the application where the user is doing the interaction.
This is why keeping browsers out of the hands of adtech corporations is pretty important; once they control that presentation layer it's largely game over. They can just tunnel all the traffic through a single connection to a relay server, if they want to, and there won't be shit a user can do about it once they've decided that's the only browser they can use.
The way Charles does this is by generating a root certificate dynamically and makes it really easy to remove by giving you instructions for how to install and remove it just for Chrome for example:
Tangentially related, I found many built-in Windows applications and services use certificate pinning and will either fail outright or modify behavior (easily identified by the number and size of packets with and without MITM).
It made me very curious to find out what data they're downloading / exfiltrating that they feel the need to go to such extremes to hide it from the user.
FWIW, even some of the packages that do pass through MITM are further encrypted binary blobs, not clear text.
I don't know how it actually works, but won't website like youtube simply deny you access if it detects that the ad related request timed out?
I imagine that browser extensions actually tap into the site's code and somehow go around such detection.
But if this is a simple firewall, how will this work against any website that doesn't just default to most trivial "import ad service", but rather actually takes steps to block the ad blockers (Like youtube)?
I've wondered what-if scenarios like this for a long time. I see them being implemented smaller websites, but never at scale like amazon.com or YouTube where they serve petabytes per second. My conclusion is: it gets so expensive to track and block users at session level that they just let go.
I haven’t had time to look at the code. Is this generating a unique root certificate per install? If not this could become an attack vector to decrypt TLS traffic.
It's interesting to see the paranoia FUD in the comments here around MITM, when this is happening on your own machine under your control, and it's open-source too. It should be painfully obvious by now that Big Tech is using "security" as an excuse to effectively force-feed you whatever they want, and depriving you of the right to refuse should be illegal.
Fuck the corporate-authoritarians who are taking away the freedom to do what we want to content that enters our machines. They've been fighting that war for a long time, and we can see through the tactics they've been using.
I've been using Proxomitron as a filtering proxy for over 2 decades after its author's death, and it is even more powerful than this (but requires more setup and tuning.)
This won't affect fingerprinting (except maybe it'll block the fingerprinting scripts if they're in lists). It does work better than add-ons in that it'll work on regular applications, not just your browser
[+] [-] anfragment|2 years ago|reply
Having just posted the app to a couple of small subreddits before sleep and then waking up to being on the front page over here is quite an experience :) I was hoping to make a Show HN post after giving Zen a bit more polish, but I guess here we are.
Thanks for all the constructive feedback. I totally share your concerns about its security and likewise wouldn't use some unverified application trying to install a root CA on my system. For those wanting to audit the certificate generation and installation code, feel free to take a look at certmanager/get.go and certmanager/install_{platformname}.go. It is mostly self-contained and, I hope, easy to understand. The lack of any instructions on how to delete the certificate is an oversight on my part, and I'll be working on this. Regarding the binaries: all of them are built on GitHub's CI. I wish there was a way for users to verify this fact, but to my knowledge, there is no way to do that currently. You can run and build the app yourself using Wails (https://wails.io/docs/gettingstarted/installation). I'll be sure to add more instructions to the repo in the coming days.
As always, any feedback, help, and suggestions are much welcome.
[+] [-] hummingn3rd|2 years ago|reply
https://www.sigstore.dev/
[+] [-] mike_d|2 years ago|reply
[+] [-] quyleanh|2 years ago|reply
About your comment of security, I think it’s better to make a FAQ file and write it there to clearly explain.
And one suggestion is I hope zen will have function to choose upstream DNS server (can be DoH or DoT server). It will be the best block ads with combo DNS and HTTPS.
[+] [-] dvfjsdhgfv|2 years ago|reply
[+] [-] tejohnso|2 years ago|reply
[+] [-] anticorporate|2 years ago|reply
[+] [-] scosman|2 years ago|reply
I connect to mine over tailscale DNS.
I recommend adding a tray icon that disables it for 60 seconds (super helpful for the odd site that serves something critical from an ads domain… like my bank).
Only downside is apps don’t have to use system DNS and a few mobile ones are wise enough to bypass.
[+] [-] Kadin|2 years ago|reply
The amount of crap that still comes through when I turn off uBlock -- but am still using PiHole DNS, which is always active on my home network -- is a lot.
Honestly I don't think DNS-based adblocking is really viable, long-term. It's just too easy for advertisers and dirtbag website operators to get around it. There's just no substitute for controlling the retrieval of content elements and their presentation from the application where the user is doing the interaction.
This is why keeping browsers out of the hands of adtech corporations is pretty important; once they control that presentation layer it's largely game over. They can just tunnel all the traffic through a single connection to a relay server, if they want to, and there won't be shit a user can do about it once they've decided that's the only browser they can use.
[+] [-] 1vuio0pswjnm7|2 years ago|reply
A proxy can be installed "onto the OS" of a RPi. It does not have to be installed on the computer used to view web pages.
A Pi-Hole is a modified dnsmasq installed "onto the OS" of a RPi.
[+] [-] kgwxd|2 years ago|reply
[+] [-] cloudking|2 years ago|reply
[+] [-] brightball|2 years ago|reply
[+] [-] exitzer0|2 years ago|reply
[+] [-] develatio|2 years ago|reply
[+] [-] I_Am_Nous|2 years ago|reply
[+] [-] fostware|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] mike_d|2 years ago|reply
[+] [-] CodeNest|2 years ago|reply
[+] [-] rosywoozlechan|2 years ago|reply
https://www.charlesproxy.com/documentation/proxying/ssl-prox...
https://www.charlesproxy.com/documentation/using-charles/ssl...
[+] [-] gigel82|2 years ago|reply
It made me very curious to find out what data they're downloading / exfiltrating that they feel the need to go to such extremes to hide it from the user.
FWIW, even some of the packages that do pass through MITM are further encrypted binary blobs, not clear text.
[+] [-] passerby1|2 years ago|reply
[+] [-] SushiHippie|2 years ago|reply
Except things like browsers (e.g. Firefox, Chrome) or python that ship their own root CA trust store.
[+] [-] Xeamek|2 years ago|reply
[+] [-] nurettin|2 years ago|reply
[+] [-] normalaccess|2 years ago|reply
[+] [-] userbinator|2 years ago|reply
Fuck the corporate-authoritarians who are taking away the freedom to do what we want to content that enters our machines. They've been fighting that war for a long time, and we can see through the tactics they've been using.
I've been using Proxomitron as a filtering proxy for over 2 decades after its author's death, and it is even more powerful than this (but requires more setup and tuning.)
[+] [-] quyleanh|2 years ago|reply
[+] [-] netsharc|2 years ago|reply
[+] [-] josephcsible|2 years ago|reply
[+] [-] TheFuzzball|2 years ago|reply
That makes deep ad blocking, local web caching, and automated history logging (with paths) impossible, for better or worse.
[+] [-] satvikpendem|2 years ago|reply
[+] [-] mkskm|2 years ago|reply
https://adguard.com/en/adguard-mac/overview.html
There's also Little Snitch Mini:
https://www.obdev.at/products/littlesnitch-mini/index.html
[+] [-] mathisd|2 years ago|reply
[+] [-] sodality2|2 years ago|reply
[+] [-] dotcoma|2 years ago|reply
[+] [-] sodality2|2 years ago|reply
[+] [-] kevin_thibedeau|2 years ago|reply
[+] [-] aredox|2 years ago|reply
Worse than a browser extension where I can deactivate per-site to solve false positives.
[+] [-] _boffin_|2 years ago|reply
[+] [-] rmkrmk|2 years ago|reply
[+] [-] thefz|2 years ago|reply
Well, nope.
[+] [-] acl777|2 years ago|reply
like: https://github.com/StevenBlack/hosts
[+] [-] mike_d|2 years ago|reply
[+] [-] quyleanh|2 years ago|reply
[+] [-] nurettin|2 years ago|reply
Still very, very scary.