if the company had installed something that uses similar technology as a pihole, wouldn’t they technically be able to see everything even if you use https?
Mostly no. PiHole works by providing a DNS server.
A DNS server is responsible for turning domain names such as en.wikipedia.org into internet protocol addresses such as 185.15.58.224.
PiHole has a list of known ad serving domains and when asked to resolve one just replies with an invalid address.
Running the DNS server itself would only give them access to the above mentioned data. However, they could respond with wrong addresses to redirect all traffic over a man in the middle proxy.
For an https secured connection this would just result in a certificate error, warning the user to not proceed. Https secured websites have a certificate electronically signed by a trusted outside party, that verifies that they really are the owner of a specific domain.
Another option would be to redirect the user to a man in the middle proxy that pretends to not support https in order to trick the browser and server into opening an unencrypted connection. This works on some websites, but can be noticed by the user (as the browser now displays “Not Secure” and “http://”) in the address bar) and is protected again by newer security mechanisms like HSTS that allow websites to tell browsers to always contact them over https in the future.
Basically if the site supports HSTS and you have visited it before this also won’t work.
Ah I see. When I run adguard on a mac and enable system wide protection, I think it registers itself as a trusted certificate authority and works similar to the “man-in-the-middle” component that you mentioned. This is just my assumption based on the fact that on https websites, if I click the padlock, the certificate info says “Adguard CA”. It also has an explicit option for a deep packet analysis which explicitly states that it can provide better protection by inspecting https traffic so I am guessing that in theory it’s possible.
Yes. This works because AdGuard is installed on your Mac and adds itself to the trusted authorities there. Basically computers with adguard installed will trust the certificate while computers without AdGuard installed will not trust it.
Some companies do something similar (like another commenter here mentioned), where they install their own certificate on all work provided devices, allowing them to man-in-the-middle all connections. Personal devices without the company certificate installed will then just show the certificate error.
if the company had installed something that uses similar technology as a pihole, wouldn’t they technically be able to see everything even if you use https?
Mostly no. PiHole works by providing a DNS server.
A DNS server is responsible for turning domain names such as en.wikipedia.org into internet protocol addresses such as 185.15.58.224.
PiHole has a list of known ad serving domains and when asked to resolve one just replies with an invalid address.
Running the DNS server itself would only give them access to the above mentioned data. However, they could respond with wrong addresses to redirect all traffic over a man in the middle proxy.
For an https secured connection this would just result in a certificate error, warning the user to not proceed. Https secured websites have a certificate electronically signed by a trusted outside party, that verifies that they really are the owner of a specific domain.
Another option would be to redirect the user to a man in the middle proxy that pretends to not support https in order to trick the browser and server into opening an unencrypted connection. This works on some websites, but can be noticed by the user (as the browser now displays “Not Secure” and “http://”) in the address bar) and is protected again by newer security mechanisms like HSTS that allow websites to tell browsers to always contact them over https in the future.
Basically if the site supports HSTS and you have visited it before this also won’t work.
Ah I see. When I run adguard on a mac and enable system wide protection, I think it registers itself as a trusted certificate authority and works similar to the “man-in-the-middle” component that you mentioned. This is just my assumption based on the fact that on https websites, if I click the padlock, the certificate info says “Adguard CA”. It also has an explicit option for a deep packet analysis which explicitly states that it can provide better protection by inspecting https traffic so I am guessing that in theory it’s possible.
Yes. This works because AdGuard is installed on your Mac and adds itself to the trusted authorities there. Basically computers with adguard installed will trust the certificate while computers without AdGuard installed will not trust it.
Some companies do something similar (like another commenter here mentioned), where they install their own certificate on all work provided devices, allowing them to man-in-the-middle all connections. Personal devices without the company certificate installed will then just show the certificate error.
Understood. Makes sense.