[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] orplug, an Android firewall with per-app Tor circuit isolation



On Sun, Feb 14, 2016, at 06:12 AM, Rusty Bird wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi coderman,
> 
> > with VPN approach you don't get to control traffic outside routed 
> > range, or before VPN activates, or fail-safe if it drops 
> > un-expectedly, or ...
> 
> I heard that Android VPNs can have some sort of fail-closed mode, does
> this apply to Orbot?

No. That only works for the built-in VPNs (PPTP, IPSec), and not for the
App/API-based VPNs.

> > note that a tor enforcing gateway approach is preferable to 
> > transparent proxy, security wise. e.g. corridor. i haven't seen
> > this applied to Android env, which might be interesting safety
> > buffer around Orweb&Orbot.
> 
> But the Android device isn't a gateway, unless you're tethering? If you
> mean only applications with native Tor support should be let through,
> that's the "access:fenced" option. Setting it up for all of the main
> device user account is literally that as one line, "access:fenced". Or
> for just a specific app, it's "access:fenced app:com.example.foo":

We could definitely implement this for the Orbot VPN via the tun2socks
code... essentially drop all traffic that is not connected to the local
Tor SOCKS or HTTP ports. We are also considering a little-snitch style
interactive mode that prompts the user based on hostnames and ports, to
approve each connection.

+n
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk