[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [GSoC 2016] Orfox - Report 2

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] [GSoC 2016] Orfox - Report 2
From: Tom Ritter <tom@xxxxxxxxx>
Date: Thu, 16 Jun 2016 21:37:11 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 16 Jun 2016 22:37:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=V+wWYIJ1H2dPj1nsoq2zMSj+fgoUWeQCmB9lbl71jho=; b=M7zfrEFRZgwS9+1ZOh30uaeMaLKqalm94P5qktS1B6NbCdnaAHn3y5RWhgIJmUfCwf KqBcurluoP9Vio+Q8BLSP24gKFKQnI+o61vR0JbJ2ECbVHVhZSo1xjhTyl1MZEGUjz5z AvG75EPvvA3utDMzO9nlLoDBX2onUGOF/btNo=
In-reply-to: <5777D34C-AB9D-4229-9DC9-65BD52ABE4C0@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <5777D34C-AB9D-4229-9DC9-65BD52ABE4C0@xxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 16 June 2016 at 18:45, Amogh Pradeep <amoghbl1@xxxxxxxxx> wrote:
> Hey guys,
>
> This is my second status report for GSoC 2016.
>
> Iâve finally managed to rebase things to ESR 45.2.0 :D [0].
> But unfortunately, I think that what it is build on is unstable, so we donât have an ask ready yet.
> I will continue to work on this, and hopefully have a successful build soon.
>
> Next up is a code audit. Once we have a stable application built on ESR 45, I can move on to the code audit phase.
> In this phase, I would go through the android code, looking for all the network code, and making sure that it is proxied fine.

Is a code audit the most efficient and reliable way to look for proxy
leaks? (At least at this stage?)  I think it would be useful and it's
good to be thorough, but it seems like it would be more efficient to
do a dynamic analysis for a first-pass effort, and to leave a code
audit to later in the game while you focus on some of the other tasks
you'll have.

I would do dynamic analysis by setting up a bridge and a proxy,
exercising lots of different functionality of the app (HTTP, HTTPS,
FTP, update checking, safebrowsing disabling/enabling, extension
installation, extension update checking, extension calls to third
party APIs, etc), and looking for any traffic not going to the single
bridge configured.

My 1 cent.

-tom
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] [GSoC 2016] Orfox - Report 2
  - From: Nathan Freitas

References:
- [tor-dev] [GSoC 2016] Orfox - Report 2
  - From: Amogh Pradeep

Prev by Author: Re: [tor-dev] Bridge Directory Consensus
Next by Author: Re: [tor-dev] getting reliable time-period without a clock
Previous by thread: [tor-dev] [GSoC 2016] Orfox - Report 2
Next by thread: Re: [tor-dev] [GSoC 2016] Orfox - Report 2
Index(es):
- Author
- Thread