Thus spake Nathan Freitas (nathan@xxxxxxxxxxx): > I mentioned this at the Tor Dev meeting, and now we have a build out. > The big news is that you can use this on any Android device without > root. Just install Orbot, connect to Tor, then install this, and you are > ready to browse like an onion. > > The main issue we are concerned about tracking down is DNS leaks with > how we are proxying. We have to use HTTP/S proxy support for now, but it > does seem to be resolving names via Tor, since .onion addresses do work. > >From here, I'll be talking more with mikeperry about all of the possible > things we can do to further lockdown webkit, which is the basis for rweb. Yeah, as a heads up to the community, the first tests that we need done is to verify that intermediate cert download, HTTPS OCSP, DNS prefetch, and FTP are all being properly proxied. There are known issues with the Chrome proxy implementation that cause these items to bypass proxy settings. It stands to reason that there is a risk for similar leaks on the Android browser. Some manual and/or stress testing over a wifi link + wireshark should be sufficient here (though finding a page that sources ftp:// urls may be tricky. You probably will need to create that yourself). -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpbuVpsfsmnd.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk