search

blokadaorg / blokada

The official repo for Blokada apps.
https://blokada.org
3.06k stars 215 forks source link

Feature request: Automatically resolve and skip affiliate/analytic/tracking link option #780

Closed c933103 closed 4 years ago

c933103 commented 4 years ago

Many situation on many different platform or websites, links supplied are designed to go through the platform's analytical server. When relevant rule are enabled in blokada, those with dedicated domain name like analytics.twitter.com can be blocked. However, given the destination URL usually present as a parameter in the analytic URL, could Blokada identify and redirect thoae requests to the destination directly instead of simply blocking them?

peterroth commented 4 years ago

Could you elaborate on "redirect thoae requests to the destination directly"? What should Blokada do, or where should it redirect the request?

c933103 commented 4 years ago

I don't habe an example on hand, but think of it as something like http://analytics.platform.com/?redirect=https%3A%2F%2Fwww.website.com%2F Would it be possible for the app to directly resolve this url and go to www.website.com instead of sending it to analytics.platform.com ?

ps100000 commented 4 years ago

Sadly this won't be possible. There are a few reasons for it:

  1. Blokada only checks the DNS traffic so we only see that something want's to now the ip of analytics.platform.com and nothing more.

  2. Even if Blokada would check the hole traffic it's impossible to find out where the redirect would lead as for all HTTPS connections only the domain (analytics.platform.com) is plaintext and the rest of the URL (/?redirect=https%3A%2F%2Fwww.website.com%2F) is encrypted. As we don't want to support HTTPS filtering for security reasons this makes it impossible to read the target URL.

  3. Even if we would be able to read the hole URL and would be able to extract the target URL correctly ( finding the right target URL could become another security risk as we could send the user to the wrong page by accident) it wouldn't be possible to do such a redirect on DNS level as the info isn't contained in the DNS query but only in the HTTP(S) GET request send afterward. So the only option would be to fake a HTTP redirect response which is also nothing I would call save to do.

TL;DR:

It's technically impossible and also not a good idea from a security point of view. So sadly we won't be able to add this feature even though it would be really cool to have it.