[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [GSoC 2016] Orfox - Report 2

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] [GSoC 2016] Orfox - Report 2
From: Nathan Freitas <nathan@xxxxxxxxxxx>
Date: Fri, 17 Jun 2016 08:40:58 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 17 Jun 2016 08:41:16 -0400
In-reply-to: <512753.25dcf3ae7033ee744689b152c7e7aa02fbdc6ac5@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <5777D34C-AB9D-4229-9DC9-65BD52ABE4C0@xxxxxxxxx> <512753.25dcf3ae7033ee744689b152c7e7aa02fbdc6ac5@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <CA+cU71=LxVXRBkpsj6T7CLBJ7ekaktCvFcj9vSz928vzR2M64Q@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Thu, Jun 16, 2016, at 10:37 PM, Tom Ritter wrote:
> On 16 June 2016 at 18:45, Amogh Pradeep <amoghbl1@xxxxxxxxx> wrote:
> Is a code audit the most efficient and reliable way to look for proxy
> leaks? (At least at this stage?)  

I think he means a few things by this, or at least we have a few tasks
underway:
- mentor (me) reviewing code quality and implementation choices for how
proxy features were added
- inspection of esr45 Android Java code for new network code and other
potentially leaky / deanon features
- review of tor browser, noscript and other mobile relevant extensions
for portability to android


> I would do dynamic analysis by setting up a bridge and a proxy,
> exercising lots of different functionality of the app (HTTP, HTTPS,
> FTP, update checking, safebrowsing disabling/enabling, extension
> installation, extension update checking, extension calls to third
> party APIs, etc), and looking for any traffic not going to the single
> bridge configured.

We use NoRoot firewall on Android for doing this in a quick manner. It
is like LittleSnitch.

Thanks for the feedback Tom!
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] [GSoC 2016] Orfox - Report 2
  - From: Amogh Pradeep
- Re: [tor-dev] [GSoC 2016] Orfox - Report 2
  - From: Tom Ritter

Prev by Author: [tor-dev] [GSoC '16] Status Report #2 - Exitmap Improvements Project
Next by Author: Re: [tor-dev] [GSoC 2016] Orfox - Report 3
Previous by thread: Re: [tor-dev] [GSoC 2016] Orfox - Report 2
Next by thread: [tor-dev] [GSoC] CONIKS for Tor Messenger - 2nd status report
Index(es):
- Author
- Thread