This reminds me of a now-dockerized Privaxy, which is a UBlock-origin blocklist compatible MITM proxy. It’s crazy to see how many ads and tracking scripts are on smart products, especially my TV where so far in my testing it’s over 40% unnecessary traffic. Its been pretty fun to try and strip out ads on my smart-tv apps.
It would not surprise me if most TVs don't check. I remember LG or Samsung using unencrypted FTP to upload viewing data a few years back, so unverified TLS would be an improvement >_<
I'm pretty sure they don't check certs. If they did, there would be many corporate networks and even entire countries where they wouldn't work, because they use DPI on all inbound/outbound connections with SSL stripping.
Definitely should be checking certs, though I always worry about the flip side of these device security decisions. if there is no way to update the trusted root certs, your TV becomes terminally ill with software ewaste disease when the manufacturer updates stop coming.
I really don’t like hardware becoming waste because we don’t have a better iot cert pool update story
I trust YouTube to know how to bake their own cert and trustworthy tls libraries into their apps but I’m not sure if that’s common in other apps
At that point, cut all its connections from the Internet and use it as a dumb panel. Many people will say you should have never connected it in the first place anyway.
You can alway use a streamer box (custom Linux one, Apple TV, Fire Stick, etc) to give it "smarts".
I have asked this question repeatedly every time someone mentions inspecting TV meteor requests via a LAN proxy and never received a satisfactory answer..
If there are known exploits for the TV (a bunch are now running old and unpatched Android), the answer is easy enough (root it and do what you want - though that opens different and maybe easier options for ad stripping), but I’ve heard of it on Apple TV where jailbreaking isn’t so easy. Perhaps MDM deployments?
TL;DR it involves using Apple Configuration to make a custom mobileconfig profile to point to your proxy and then also installing the certificate with the same method.
Aha it’s awesome to see you here on HN too! Thanks for bringing up that filter list pinging. Been meaning to change the fork to stop using the hardcoded address of 0.0.0.0 on the front end so we can truly isolate the docker container but life gets in the way. Have you tried this on an Apple TV?
Of course! I’ve been wanting to run this for my Apple TV devices for a while now. tvOS itself doesn’t really have ads, but the third-party tv network apps have a lot of ads and tracking services which is what I wanted to work on stripping out.
I have it working for a few TV Everywhere compatible apps, but some are proving to be more difficult than others. I may have to do some other TLS inspection with mitmproxy and figure out what needs to be removed with the custom uBlock filter syntax option.
Fork author here. It’s a bit more nuanced than that. The original version originally came with a webui that was removed upstream and replaced with a desktop app. The way it was written, there was some modification required to make with docker which was a popular request from the users. The desktop app isn’t dockerizable so this can’t be merged upstream.
Fwiw I’m familiar with docker and I certainly wouldn’t have understood it that way if you hadn’t said so. I wonder why they can’t just upstream the web gui either in addition or instead of the existing one.
https://github.com/deetungsten/webui-privaxy is the dockerized fork of https://github.com/Barre/privaxy