• 2 Posts
  • 32 Comments
Joined 16 days ago
cake
Cake day: June 18th, 2025

help-circle



  • TLDR; risks far outweigh the benefits. See bottom of response for recommendations.

    Should you use it?

    It works by setting up a proxy that intercepts HTTP requests from all applications

    During the first run, Zen will prompt you to install a root certificate

    Zen will be able to decrypt and analyze your entire traffic. And then it’ll encrypt what it allows before letting it leave/enter the device. This means even if you trust Zen, that one certificate is the only thing standing between your traffic staying encrypted. It gets compromised, you’re compromised.

    Do not trust an app with your entire traffic, ever. Even if its not malicious there are going to be bugs, vulnerabilities, leaks, etc.

    Moreover, something being open source does not mean its audited by people who know what they’re doing - neither for hidden malicious code or mistakes. I did not see any formal audits being mentioned in the readme.

    https://grapheneos.org/faq#ad-blocking-apps

    What can you use instead?

    You should instead use ublock in the browser and system wide DNS blocking on your device. You can use an adblocking public DNS server (e.g. Mullvad) or setup pihole locally. You do not have to self host pihole, you can just set it up on your computer and use on that device only which would be the same thing as using Zen on that device.

    Note that using a public, blocking DNS will block less domains because they have to make sure it does not break anything for anyone but it will make you less fingerprintable. OTOH, using a custom blocklist you can get the most out of blocking but you’re probably the only person blocking that specific subset of domains which will make you more fingerprintable. Take your poison.

    What about content filtering on desktop/mobile apps DNS blocking cannot solve

    DNS blocking merely stops the application from accessing certain domains. It won’t be able to block malicious content served from the same domain as the content you actually need (e.g. YouTube serves both ads and videos from the same domain so you can’t block their ads without blocking the video itself).

    You should not install applications you don’t trust on your device and use them on the browser as much as you can or use and alternative FOSS frontend (e.g. Reddit, Discord, YouTube etc.)

    But some applications might be circumventing system DNS

    Yes, there’s nothing stopping an application from doing its own DNS resolution or using hardcoded static IPs. You should not run applications trying to be actively malicious in this way. Neither Zen, nor anything else will be able to protect you from untrusted code doing suspicious things on your machine.



  • You would be able to do this for a short while but unless you can make an agent that’s indistinguishable from you or you already have very bot-like traffic, they’d catch up pretty quickly. They aren’t going to just let a trillion dollar industry die out because some bots are generating traffic.