security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

add FAQ entry on ad-blocking

Browse Source
This commit is contained in:
Daniel Micay 2020-03-02 07:32:48 -05:00
parent f3fe1e1d45
commit 2860ce612b
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
static/faq.html
View File

@ -78,6 +78,7 @@
<li><a href="#network-monitoring">Can apps monitor network connections or <li><a href="#network-monitoring">Can apps monitor network connections or
statistics?</a></li> statistics?</a></li>
<li><a href="#firewall">Does GrapheneOS provide a firewall?</a></li> <li><a href="#firewall">Does GrapheneOS provide a firewall?</a></li>
<li><a href="#ad-blocking">How can I set up system-wide ad-blocking?</a></li>
</ul> </ul>
</li> </li>
<li> <li>
@ -504,6 +505,38 @@
enforcing the INTERNET permission, such as DownloadManager. Direct access is denied enforcing the INTERNET permission, such as DownloadManager. Direct access is denied
by blocking low-level network socket access.</p> by blocking low-level network socket access.</p>
<h3 id="ad-blocking">
<a href="ad-blocking">How can I set up system-wide ad-blocking?</a>
</h3>
<p>The recommended approach to system-wide ad-blocking is setting up domain-based
ad-blocking as part of DNS resolution. You can do this by
<a href="#custom-dns">choosing a Private DNS (DNS-over-TLS) server</a> with support
for blocking ad domains. As an example, AdGuard DNS can be used by setting
<code>dns.adguard.com</code> as the Private DNS domain.</p>
<p>Content filtering apps are fully compatible with GrapheneOS, but they have serious
drawbacks and are not recommended. These apps use the VPN service feature to route
traffic through themselves to perform filtering. This approach is inherently
incompatible with encryption from the client to the server, which the AdGuard app
works around by supporting optional
<a href="https://kb.adguard.com/en/general/https-filtering">HTTPS interception</a> by
having the user trust a local certificate authority, which is a security risk and
weakens HTTPS security even if their implementation is flawless (which they openly
acknowledge in their documentation, although it understates the risks). It also can't
intercept connections using certificate pinning, with the exception of browsers which
go out of the way to allow overriding pinning with locally added certificate
authorities. Many of these apps only provide domain-based filtering, unlike the deeper
filtering by AdGuard, but they're still impacted by encryption due to Private DNS
(DNS-over-TLS). If they don't provide their own remote DNS servers, the apps require
disabling Private DNS. They could provide their own DNS-over-TLS resolver to avoid
losing the feature, but few of the developers care enough to do that. Using the VPN
service to provide something other than a VPN also means that these apps need to
provide an actual VPN implementation or a way to forward to apps providing one, and
very few have bothered to consider this let alone implementing it. NetGuard is an one
example implementing SOCKS5 forwarding, which can be used to forward to apps like
Orbot (Tor).</p>
<h2 id="day-to-day-use"> <h2 id="day-to-day-use">
<a href="#day-to-day-use">Day to day use</a> <a href="#day-to-day-use">Day to day use</a>
</h2> </h2>