[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Orweb v2 - now supports Android 2.x and 3.x

Thus spake Nathan Freitas (nathan@xxxxxxxxxxx):

> I mentioned this at the Tor Dev meeting, and now we have a build out.
> The big news is that you can use this on any Android device without
> root. Just install Orbot, connect to Tor, then install this, and you are
> ready to browse like an onion.
> The main issue we are concerned about tracking down is DNS leaks with
> how we are proxying. We have to use HTTP/S proxy support for now, but it
> does seem to be resolving names via Tor, since .onion addresses do work.
> >From here, I'll be talking more with mikeperry about all of the possible
> things we can do to further lockdown webkit, which is the basis for rweb.

Yeah, as a heads up to the community, the first tests that we need done
is to verify that intermediate cert download, HTTPS OCSP, DNS
prefetch, and FTP are all being properly proxied. There are known
issues with the Chrome proxy implementation that cause these items to
bypass proxy settings. It stands to reason that there is a risk for
similar leaks on the Android browser. 

Some manual and/or stress testing over a wifi link + wireshark should
be sufficient here (though finding a page that sources ftp:// urls may
be tricky. You probably will need to create that yourself).

Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpbuVpsfsmnd.pgp
Description: PGP signature

tor-talk mailing list