Privoxy as SSL filter

[silverni]

My English is weak, sorry.

 For some time I have been using as SSL filter Privoxy 3.0.32 27/02/2021:

https://www.privoxy.org/

https://www.privoxy.org/sf-download-mirror/win32/

Privoxy was born as a content filter, some years ago it has taken on the SSL filter function, then today:

Privoxy = ProxhttpsProxy + Proxomitron

Privoxy offers various advantages including a good updated documentation.

At the moment I use Privoxy only as a SSL filter, with the configuration files that I report below.

 

Privoxy 3.0.32 does not support TLS 1.3, supports various TLS 1.2, TLS 1.1, TLS 1.0, SSL 3 protocols; test:

https://clienttest.ssllabs.com:8443/ssltest/ViewMYClient.html

 

Privoxy 3.0.33 of 08/12/2021 does not work in my Winxp; I read that the compilation is simple (but today I can't do it), and that it can be linked with two cryptographic library, probably with the time Privoxy will also support TLS 1.3

----

https://github.com/essandess/adblock2privoxy/issues/34

pdc1 May 15, 2021

I had to build my own privoxy, but it was very straightforward, the main thing to note is to include --with-openssl or --with-mbedtls when running configure to enable https-inspection.

-----

 

My configuration

 

With OPENSSL 1.0.2T I created the two files: privoxy.crt and privoxy.pem, during the creation I indicated the following data:

Password: PrivoxyPassword

Country Name (2 letter code):IT

State or Province Name:Italia

Locality Name:<MyCity>

Organization Name: Privoxy

Organizational Unit Name (eg, section): Privoxy

Common Name: Privoxy

Email Address:

 

With Cert.MSC I imported the Privoxy.Crt file in the Windows certificates database:

Certificates (Local Computet) > Authority of certifications reliable sources > Certificates > Right click > All activities > Import > Privoxy.crt

 

I placed in the same subdir of Privoxy.exe the two files Privoxy.crt and Privoxy.pem

 

I downaloaded cacert.pem updated and I placed it in the same subdir.

 

In the same subdir I renamed the conf.txt file as config0.txt, and I copied my two configuration files config.txt and sv1.action

 

At the moment in SV1.action I disabled the verification of the servers certificates, and I set an UserAgent suitable for my purposes.

 

 

Greetings

 

=== config.txt

#-- originali

confdir .

logdir .

enable-remote-toggle  0

enable-remote-http-toggle  0

enforce-blocks 0

enable-proxy-authentication-forwarding 0

forwarded-connect-retries  0

accept-intercepted-requests 0

allow-cgi-request-crunching 0

split-large-forms 0

tolerate-pipelining 1

 

 

#--- modifiche mie

listen-address  127.0.0.1:8079

enable-edit-actions 1

buffer-limit 40960

socket-timeout 30

 

#keep-alive-timeout 5

#connection-sharing 1

 

show-on-task-bar 0

activity-animation 0

close-button-minimizes 1

 

ca-directory .

ca-cert-file privoxy.crt

ca-key-file privoxy.pem

trusted-cas-file cacert.pem

certificate-directory R:\Temp\PrivoxyCerts

ca-password PrivoxyPassword

 

#actionsfile match-all.action

#actionsfile default.action

#actionsfile user.action

actionsfile SV1.action

 

#filterfile default.filter

#filterfile user.filter

 

#logfile privoxy.log

#debug  1

#debug  1024

#debug  4096

#debug  8192

 

 

 

 

=== SV1.action

{+https-inspection}

/ # Match all URLs

 

{+ignore-certificate-errors}

/ # Match all URLs

 

{+hide-user-agent{Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko}}

/ # Match all URLs

 

[silverni]

After using Privoxy 3.0.20 for several months, I confirm that in my system it is much more efficient than ProxHTTPSProxy and BurpSuite 1.7.36, another SSL filter I have been using for some time.
Meanwhile, @cmalex has compiled a build for WinXP of Privoxy 3.0.30, and it is running smoothly; so it will be quite easy to add TSL 1.3.
Privoxy 3.0.40 is also available today.
So far I have never needed to upgrade.

Regards

 

[silverni]

I came across the following pages that indicate the possibility of also using Privoxy as a filter to prevent malware, ads, etc.
Many blacklists can be found on the Internet in HOSTS format, it seems easy to convert them into a format that can be used with Privoxy.
Hereinafter I also point to a very curated source of blacklists in HOSTS format.
By the way, I have not used real-time antimalware for at least five years.
Regards
-----------------------

https://github.com/ScriptTiger/Hosts-Conversions 230530
ScriptTiger / Hosts-Conversions Public
Drag and drop a hosts file to convert it.
:::
Privoxy: Converts a hosts file to Privoxy action file format to be used with a Privoxy action file, i.e. using something like {+block{Steven Black blacklist.}}.


https://scripttiger.github.io/more/ 230530
Hosts-BL:
Simple tool written in Go  (=== exe NT6) to handle hosts file black lists that can remove comments, remove duplicates, compress to 9 domains per line, add IPv6 entries, as well as can convert black lists to multiple other black list formats compatible with other software.

https://github.com/ScriptTiger/Hosts-BL 230530
ScriptTiger / Hosts-BL Public
Usage: hosts-bl [options...] <source> <destination>
-f <format>    Destination format: ..., privoxy, ...



https://github.com/StevenBlack/hosts
Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.


 

[genieautravail]

@silverni

Thank you very much for the links! 

I will try Privoxy as HTTPS proxy with ads filtering in the next days on a dedicated computer.

Regards

[silverni]

Other info

Regards

 

=== https://www.privoxy.org/faq/misc.html
4.23. Should I continue to use a "HOSTS" file for ad-blocking?
One time-tested technique to defeat common ads is to trick the local DNS system by giving a phony IP address for the ad generator in the local HOSTS file, typically using 127.0.0.1, aka localhost. This effectively blocks the ad.
There is no reason to use this technique in conjunction with Privoxy.
Privoxy does essentially the same thing, much more elegantly and with much more flexibility.
A large HOSTS file may get in the way and seriously slow down your system.
If you think your hosts list is neglected by Privoxy's configuration, consider adding your list to your user.action file:
  { +block }
   www.ad.example1.com
   ad.example2.com
   ads.galore.example.com
   etc.example.com

 

=== https://scripttiger.github.io/alts/ 230602
Additional Blacklist Support
Below are assorted versions of Steven Black's unified hosts files reformatted for various other applications for additional support and are synced regularly.
:::
Privoxy*
To be used with a Privoxy action file.
:::
* = Formats marked with an asterisk ("*") denote formats which take advantage of the higher flexibility afforded them and prune child sub-domains of parent domains already present on the list.
For example, a domain assets.analytics.foo.com will be dropped from the list if either analytics.foo.com or foo.com are already present on the list.
In the same example, analytics.foo.com would be dropped from the list if foo.com is already present on the list.
However, if only assets.analytics.foo.com is present on the list, then both analytics.foo.com and foo.com will not be blocked.
:::
Unified hosts = (adware + malware)
FQDN | RFQDN | Adblock | dnsmasq | Unbound | RPZ | Privoxy | IPv4_IPv6 | Compressed | MCompressed
:::
Privoxy  https://scripttiger.github.io/alts/privoxy/blacklist.txt

:::
Unified hosts = (adware + malware)
Unified hosts + fakenews
Unified hosts + gambling
Unified hosts + porn
Unified hosts + social
Unified hosts + fakenews + gambling
Unified hosts + fakenews + porn
Unified hosts + fakenews + social
Unified hosts + gambling + porn
Unified hosts + gambling + social
Unified hosts + porn + social
Unified hosts + fakenews + gambling + porn
Unified hosts + fakenews + gambling + social
Unified hosts + fakenews + porn + social
Unified hosts + gambling + porn + social
Unified hosts + fakenews + gambling + porn + social
 

[genieautravail]

@silverni

I can't connect to Privoxy with Internet Explorer 8.

I only have error messages in the logs of Privoxy about failed TLS/SSL handshake.

Error: The TLS/SSL handshake with the client failed: error:0A00008A:SSL routines::cipher or hash unavailable
Error: The TLS/SSL handshake with the client failed: error:0A080044:SSL routines::internal error
Error: Failed to open a secure connection with the client

What is your list of cyphers in the conf file of Privoxy ?

Regards

[silverni]

On 6/8/2023 at 9:33 PM, genieautravail said:

@silverni

What is your list of cyphers in the conf file of Privoxy ?

Regards

My configuration is in first post.

Regards

[silverni]

Other info

Regards

 

=== https://pgl.yoyo.org/adservers/formats.php 230605
junkbuster - in internet junkbuster/privoxy format
description:
can be used as a starting point for the Internet Junkbuster Proxy, also usable with Privoxy
http://www.junkbusters.com/ijb.html
more info:
https://pgl.yoyo.org/adservers/news.php#fourmore
view: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=junkbuster