AdguardForAndroid icon indicating copy to clipboard operation
AdguardForAndroid copied to clipboard
verified publisher icon AdguardTeam

Block requests based on SSL cert fingerprints

Open wft44maqb opened this issue 4 years ago • 4 comments

Recently, I discovered that more and more Chinese applications use third-party DNS resolvers to evade filtering. Alibaba, Xiaomi, etc.

(pic, but later)

  • https://search.censys.io/certificates?q=%28%22resolver.msg.xiaomi.net%22+OR+%22resolver.mi.xiaomi.com%22+OR+%22resolver.msg.global.xiaomi.net%22%29+AND+tags.raw%3A+%22trusted%22

  • https://search.censys.io/search?resource=hosts&q=services.tls.certificates.leaf_data.fingerprint%3A+f00992f3b71db5e09d241c3c68b4534f54577b6620b20b458c8bb3f552f73ae1+or+services.tls.certificates.chain.fingerprint%3A+f00992f3b71db5e09d241c3c68b4534f54577b6620b20b458c8bb3f552f73ae1+or+services.tls.certificates.leaf_data.fingerprint%3A+2863149b198ac01aa82f74bc9dc8358a02b281b6867b439ba80b495682813ed6+or+services.tls.certificates.chain.fingerprint%3A+2863149b198ac01aa82f74bc9dc8358a02b281b6867b439ba80b495682813ed6+or+services.tls.certificates.leaf_data.fingerprint%3A+76270503bd7087945afb5c4a9cb9187b888e7224f852a5cdad5e7ab648cd7bda+or+services.tls.certificates.chain.fingerprint%3A+76270503bd7087945afb5c4a9cb9187b888e7224f852a5cdad5e7ab648cd7bda+or+services.tls.certificates.leaf_data.fingerprint%3A+51902a7ad51d51efdb258d497b9489d8ebe53bc20f92f8a63ae59e73b0eec9e1+or+services.tls.certificates.chain.fingerprint%3A+51902a7ad51d51efdb258d497b9489d8ebe53bc20f92f8a63ae59e73b0eec9e1+or+services.tls.certificates.leaf_data.fingerprint%3A+b75cda5bc6b08d2d5d4b1f160d7b3cc432eb631236f25e718666e63f141bbdfb+or+services.tls.certificates.chain.fingerprint%3A+b75cda5bc6b08d2d5d4b1f160d7b3cc432eb631236f25e718666e63f141bbdfb

They will always figure out a way to bypass the filtering, and get the domain's IP address, and it's so hard to put a finger on all the linked-IPs, so you might want AdGuard to support blocking requests based on SSL cert fingerprints.

https://github.com/AdguardTeam/AdguardForAndroid/issues/3853 @Konstantin

Additionally, SSL certificates are relatively static compared with IP addresses bound to domain names.

wft44maqb avatar Oct 19 '21 22:10 wft44maqb

NEED SOME HELP OVER HERE!!! @spirillen @My-External-Stuff

wft44maqb avatar Oct 19 '21 23:10 wft44maqb

@wft44maqb I'm not sure what it is you want my help to here... can you please elaborate

Chinese applications use third-party DNS resolvers

If any program inserts there own DNS resolvers to bypass any network security, then it is hacking, plain and simple. And any such program, sites should be reported as malware/spyware with proof of such behavior.

spirillen avatar Oct 20 '21 16:10 spirillen

https://github.com/Exodus-Privacy/etip/issues/95

wft44maqb avatar Nov 01 '21 04:11 wft44maqb

https://gitlab.com/wft44maqb/hosts/-/blob/main/dns.hosts https://gitlab.com/wft44maqb/hosts/-/blob/main/dns.easylist

wft44maqb avatar Nov 01 '21 04:11 wft44maqb

Well you can create a blocking rule for requests with a type you need. Please research our "Filtering log" functionality.

artemiv4nov avatar Nov 23 '22 16:11 artemiv4nov