Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I have pi-hole, and while DNS filtering does eliminate a majority of annoyances on the web, there's still a large amount that I need uBlock for.


DNS filtering is the only option outside the browser because of SSL


That's not necessarily true. SSL/TLS does not prevent all MITM, it prevents unwanted MITM.

To be fair, I don't think you can install certificates on a Chromecast for example, so it might not be practically feasible for all devices, but a blanket "SSL makes that impossible" is not correct.


SSL/TLS does not prevent all MITM, it prevents unwanted MITM.

That’s news to me. Can you expand on this ? I always assumed if an API Endpoint for example is served on TLS it’s secure till the termination. No ?


In practice it's usually done with SSL termination (MITM but you have a trusted certificate)

Adguard Docs on it: https://kb.adguard.com/en/general/https-filtering#how-does-h...

Charles Proxy: https://www.charlesproxy.com/documentation/proxying/ssl-prox...


You can always choose to install your own root certificates, at which point your browsers will trust any certificates issued by them (which could be your own mitm proxy)


It would cause issues for websites / apps using HSTS / Certificate pinning (a.k.a. most big websites)


No, HSTS doesn't pin the cert, it just says that TLS must be used. A custom root certificate will fulfill that requirement.

Cert pinning isn't used by browsers in general.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: