This is not a strictly a legal or technical question, but rather an opinion question - "is it acceptable?" From my point of view it's not. A root ca cert in your system allows the controller of that cert to potentially impersonate and intercept any of your SSL/TLS traffic via MitM techniques. I don't want to get into self signed certs and forcing users to load CA's on all their devices. Plus that is just a bit too far into a Man In The Middle scenario and I don't want that kind of access to peoples devices. I'm very big on user privacy and no one should have unverified CA level access to clients.
DNS is unencrypted and provides no security guarantees. TLS on the other hand does.
If DNSSEC was all of a sudden enabled everywhere, a different approach than NXDOMAIN would be needed but that time has not (and probably never will) come.
What you're not seeing is DNS sinkholing, aka returning NXDOMAIN for a legit webserver operating under the law, is a MitM. The certificate technique is a more elaborate MitM to pull off than a compromised DNS forwarder/resolver, which is a one-step process. These are not opinion, but facts.
"is it acceptable" is easy to answer. There are two senses in your question. Let me clarify.
Sense 1: Ad networks/trackers collect consumers/end-users privacy data and send the data over HTTPS to their servers. Is it acceptable? To me, it's definitely not.
Sense 2: A consumer/end-user uses a tool such as pixelserv-tls to inspect such transmission within his own devices and check what privacy data the ad networks/trackers are retrieving from him. It's perfectly acceptable. That's what I meant in the sentence you quoted.
The FUD here is in fact a technical question. Note that neither pixelserv-tls nor its integrator will ship a root CA certificate. Each end-user has to generate his own root CA certificate. So each root CA certificate is unique and solely owned by the end user. He then installs the root CA in his and/or his family's devices for adblock. There is no MiTM attack here unless he wants to attack his family who trusts him in the first place to let him install the root CA.
pixelserv-tls also works without a root CA certificate. HTTPS requests will simply be rejected.
DNS-based adblock strategy is getting more popular, and easier to install. It works so much better than browser add-on. If its popularity gets to a tipping point, DNSSEC adoption may get a boost. I haven't looked into DNSSEC, so unsure if it can make DNS based adblock irrelevant. My guess is it can. Then it'll be a big win for ad networks and trackers.
I have good news for you (and maybe others). In firefox you can still clear those annoying dns related error messages from https sites. It's no longer permitted by internal plugins via webextensions api, but you can still provide a little external css file to nuke those error messages ...
/*
* edit this file and copy it as userContent.css to
* linux: /.mozilla/firefox/<profile dir>/chrome/
* windows: %APPDATA%\Mozilla\Firefox\Profiles\<profile dir>\chrome
*/
@-moz-document url-prefix('about:neterror?e=dnsNotFound') {
:root {
--in-content-page-background: none !important;
}
body {
display: none !important;
}
}
Maybe this works also in Chrome but I do not use this browser.
"Heads up" for frequent youtube users. On the pihole forum I've found an interesting discussion regarding this new "API based" approach to block all ad-related subdomains under 'googlevideo.com' (see here). It's quite easy to integrate that as a new source in adblock, therefore here it is for testing ...
Would be nice to get feedback from youtubers if that really help with this in-video ads and others.
edit/warning: This API (details see here) is designed to find "all" forward DNS records (A records) for an organisation (i.e. 'gogglevideo.com'). It's very likely blocking access to legitimate content and even this enabled blocklist requires application level filtering, too.
I'm a daily YouTube user on both PC and a TV app, I've just introduced this script and confirm it works via a query to Adblock, however I still see adds on the web version of YouTube. On the TV I've not seen an ad for some time, it often does get stuck on a black loading screen though where there should be an ad which is mildly annoying.
Have a question on the best way to allow some traffic.
So... What I have going on, is that I'm jobhunting, and on many websites there is a link to connect you using your LinkedIn account. What happens is, I see a popup page with a blank screen and the one single white pixel. And, no login with my LI account or no transfer of data about me.
So, I'm assuming its a pixelserver handshaking kind of thing, or a way for a third party to get credit for the linking.. not sure. I have captured a few of the 800 character URL's, and they do vary in length, content, etc.
What's the needed level of detail here, if I was going to try to whitelist this, since they're all hugely long and vary from customer to customer? Hopefully there's some higher domains I can pull and whitelist, but there's a lot of non human readable stuff in there. Anyone deal with this successfully?
That's a compressed blocklist with sub-sections, you can't simply add such source. Currently only "shallalist" is supported in this regard ... I'll add generic archive support in a future release.
