[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Using Tor as a library
Christopher Schmidt <christopher@xxxxxxxxxxxxxxxx> wrote:
>"Fabio Pietrosanti (naif)"
><lists-BEJ3GKOyH/EwUp2xcto6ig@xxxxxxxxxxxxxxxx> writes:
>> That's the future of Tor, to be integrated as a library just like an
>> encryption library into application.
>
>No, it's not. Embedding a Tor client in another application cripples
>auditability, configurability, updateability etc. of Tor. So does
>embedding a controller. Even worse, an application trying to outsmart
>the user by controlling Tor on its own poses a severe security risk.
>
>Other than an encryption library, there is no well-defined output to an
>input that a Tor library should produce.
>
>Tor is a vivid, organic ecosystem of different, replaceable projects
>that integrate into each other. Embedding a static subset of these in
>an application is wrong.
>
On Android, we have developed a library that allows a 3rd party developer's app to check if Orbot (and by extension Tor) is installed and running, and if either is false provides methods to prompt the user to resolve both false states. We also provide simple code for properly proxying app data through SOCKS.
Perhaps a similar approach could be taken for desktop and server apps that want to integrate with Tor?
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev