Banning short form content was a challenge for a specific reason : they don’t want users to be able to disable it.
I wanted to remove short form content from my life because i felt like it held me back in many ways, mostly with my motivation, but i still wanted to have access to the apps (Instagram, Youtube…) to talk to friends, or to consume the other form of content on it.
This article is focused on the technical reasons of my Banning short form content : Tutorial, and follows the path i took and how i resolved this issue.
I started by trying to block Youtube Shorts, ùy first simple idea was that maybe short form content uses a specific url path to retreive the videos (like www.youtube.com/shorts/...). To “block” the requests to theses urls, i used AdGuard Home. By self hosting it and using it as the DNS on my machine, i could tell it to block the specific URL so it wouldn’t work. This worked, but not really. It only blocked when you watched shorts from the web browser, but i wanted to be able to also block it for my mobile, an Iphone.
While blocking youtube.com/shorts, i saw that even in the web browser, you could access shorts when the url does not content “short” inside. I was blocking the web page, but not the video loading.
Blocking Youtube Short
To achieve that, i would need a way to intercept the traffic of my machines, and to detect if the video requested was a youtube short, or if it was just a regular youtube video.
Is a video a short ?
To check if a video requested was a youtube short, i snooped around the developpers tool of my web browser to see what was the call that started the video download, and if an argument existed that specified that it was a short.
I found that to download a video, it would request it from googlevideos.com, and i found that the argument that determined that it was a short was : ctier=SH, a GET parameter.
How can i block the download ?
To block the download i would need access to the GET parameters of requests to googlevideos.com, check if it is a short and block it. (By returning 403 or 502 etc…)
To have access to the GET parameters, i would need to break the encryption between my devices and the googlevideos server. I would need to do something like a man-in-the-middle attack on myself. Having a server act as the googlevideos server, and redirecting the non-short videos to the real googlevideos, and block the short videos. And my DNS giving for the googlevideos.com url the url of my server.
–SCHEMA MAN IN THE MIDDLE–
So my devices needs to trust my servers certificate, so it could create a trusted connection.
So i created a Root certificate, that i will then give to my devices. And with this Root certificate, i would sign leaf certificates for the googlevideos.com website.
I used a Root certificate because you can’t trust a leaf certificate on iPhone, you can only trust root certificates.
The proxy logic handled by a nginx instance,
This solution worked on my web browsers and iPhone, and would work for any other device that would trust the root certificate and use my specific DNS.
But now i wanted to do the same for Instagram, but it was not as easy.
Blocking Instagram Reels
First, the video provider is not just one url like googlevideos, but is like gibberish.fbcdn.net
That makes the certificate management more complex, you could not just have a single leaf certificate and be done, you would need to sign certificate on the fly, depending on the requested CDN url.
To solve this issue, i used mitmproxy(man-in-the-middle-proxy) insted of my plain old nginx, because it supports the on the fly signing of certificates.
So the changing CDN url problem is solved.
Is a video a short
Same as before, it is not as easy as with Youtube. Instagram encodes the requested video metadata from JSON into a Base64 string, and puts it into the efg GET parameter.
The parameter that determines if it is a reel, a picture or a story is the “vi_usecase_id” parameter, and i deduced that the value 10099 is for reels.
After a bit of setting up mitmproxy to do the blocking of youtube short and decoding the efg parameter, it worked !
But it worked only on web browsers… And i wouldn’t be able to block it for my iPhone, because of Certificate Pinning.
Instagram knows the certificates of his servers, and not because your phone trusts a specific certificate that instagram will also trust this certificate.
So when the app sees that the server it queries does not sign with its own certificates, it knows it is not a legitimate server.
So this was now a dead end. But i was happy for what i achieved !