[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation
From: Nathan Freitas <nathan@xxxxxxxxxxx>
Date: Mon, 15 Feb 2016 10:55:54 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 15 Feb 2016 10:56:10 -0500
In-reply-to: <512753.0fd66affa8c16a41619b165033156a1fd819c470@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <512753.f0610b5a2ba80e2b5e307afc6982286451c15c63@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <56BDDEB4.1070107@xxxxxxxxxxxxxxx> <1455288823.340246.519465714.3E8E8420@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <56BE4071.50609@xxxxxxxxxxxxxxx> <CAJVRA1RabMrMAcyO3Y4hYcJoWQQRmOQR=_vBv7fCQiCVo=k5GQ@xxxxxxxxxxxxxx> <512753.0fd66affa8c16a41619b165033156a1fd819c470@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <56C06102.5010508@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Sun, Feb 14, 2016, at 06:12 AM, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi coderman,
> 
> > with VPN approach you don't get to control traffic outside routed 
> > range, or before VPN activates, or fail-safe if it drops 
> > un-expectedly, or ...
> 
> I heard that Android VPNs can have some sort of fail-closed mode, does
> this apply to Orbot?

No. That only works for the built-in VPNs (PPTP, IPSec), and not for the
App/API-based VPNs.

> > note that a tor enforcing gateway approach is preferable to 
> > transparent proxy, security wise. e.g. corridor. i haven't seen
> > this applied to Android env, which might be interesting safety
> > buffer around Orweb&Orbot.
> 
> But the Android device isn't a gateway, unless you're tethering? If you
> mean only applications with native Tor support should be let through,
> that's the "access:fenced" option. Setting it up for all of the main
> device user account is literally that as one line, "access:fenced". Or
> for just a specific app, it's "access:fenced app:com.example.foo":

We could definitely implement this for the Orbot VPN via the tun2socks
code... essentially drop all traffic that is not connected to the local
Tor SOCKS or HTTP ports. We are also considering a little-snitch style
interactive mode that prompts the user based on hostnames and ports, to
approve each connection.

+n
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation
  - From: Rusty Bird
- Re: [tor-talk] [guardian-dev] orplug, an Android firewall with per-app Tor circuit isolation
  - From: Rusty Bird
- Re: [tor-talk] [guardian-dev] orplug, an Android firewall with per-app Tor circuit isolation
  - From: coderman
- Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation
  - From: Rusty Bird

Prev by Author: Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation
Next by Author: Re: [tor-talk] Default to meek based on location?
Previous by thread: Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation
Next by thread: Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation
Index(es):
- Author
- Thread