Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Presumably, it has to MitM all traffic going to/from the WAN in order to MitM YouTube traffic.

Encrypted Client Hello / Secure SNI / Encrypted SNI prevents the hostname for each connection from leaking in plaintext. DNS-over-HTTPS prevents anyone on the local network from snooping on the DNS lookup to realize which connections are for a given domain name. I guess a sufficiently advanced implementation would stop MitMing a connection once it is not talking to YouTube, but as a broader ad-blocking technique, this would apply to more than just YouTube.

Even just focusing on YouTube, lower bandwidth means that you have longer pauses when you skip around any video that isn't super short, as it attempts to buffer that section of the video.



> Encrypted SNI prevents the hostname for each connection from leaking in plaintext.

True, but almost nobody uses that yet. Youtube certainly doesn't.

> DNS-over-HTTPS prevents anyone on the local network from snooping on the DNS lookup to realize which connections are for a given domain name.

The author of TFA is MITMing their own Apple TV. In that scenario, they could just configure their own DNS proxy as well. But given that there's no eSNI, it's not even necessary.

And even if you'd need to MITM all flows to and from YouTube on your local network – that would still be only a few Mbit/s per device, given YouTube's (non-premium) potato-quality data rates.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: