[guardian-dev] using K9 Mail

[Rick Valenzuela]

thanks for the quick reply, Nathan. in the meantime, I installed the
latest Orbot, and am basically following your setup of Orbot and TLS.
Top-posting this as it moots a lot of the extra things I was trying.

On 2012/05/09 4:27 PM, Nathan of Guardian wrote:
> Rick Valenzuela <lists at rickv.com> wrote: My mildly technical
> assumption with this was that
>> I'd be covered with routing+anonymity as well as encryption. I 
>> would like to tunnel to a server I use in another country.
> 
> So you are tunneling SSH Droid through Tor via Orbot transproxying?

Er, I was trying to. My order of operations was to:
• turn on DroidWall, whitelisting only Orbot and SSHTunnel(beta)
• turn on wifi or data
-- this is where some experimenting differs: I believe keeping DroidWall
on worked fine under the last Orbot release, but now it simply won't.
But I was inconsistent with this. I also at times did not use both Orbot
and SSHTunnel at the same time. --
• turn on Orbot
• connect to SSH server

Well, this is what I was trying to do, but sometimes connections were
spotty.


>> I can connect with Orbot only, and in checking headers with
>> another account, it does seem that Orbot routes this. But
>> SSHTunnel(Beta) does not allow me; looking at K9 in folder view, I
>> see some error messages under each folder after it fails to poll.
> 
> Either the transproxy iptables rules from Orbot are getting flushed 
> by Droidwall or this is an issue with k9 being able to connect to 
> localhost with all of the various routing going on.
> 
> Have you tried our new 1.0.8 rc1 yet? It has a fix related to 
> localhost connections.

I did install 1.0.8 rc1, but after I posted this. Before reading your
message, I still was trying to use DroidWall, and notiiced in those logs
that some Google Services Framework or Android processes were blocked,
but to localhost. Not sure if that's related. But regardless, this setup
seems to work OK.


> 
>> 
>> I emailed the devs from K9 and Kaiten about this, and I got this 
>> back: "Kaiten like K-9 Mail doesn't support using a proxy server. 
>> But you should still be able to use an SSH tunnel if you set up a 
>> local endpoint that will forward all connections to your mail 
>> server using SSH." Although, I'm not sure how to do this.
> 
> So what is your sshtunnel configuration set to now?

I was using the default settings in SSHTunnel(beta), if that helps; I'm
still figuring out what the local endpoint part is. The default is to
set up dynamic port forwarding on local port 1984.

 But atm, I'm just using the new Orbot, without SSHTunel or DroidWall.


> 
>> The K9 dev also gave a reminder/warning that Orbot would only 
>> provide anonymity, not encryption, which was the reason in the 
>> first place that I wanted to SSH tunnel to a SOCKS5 proxy. I do use
>> SSL/TLS with my email provider, so this may be redundant. I guess
>> that's why I'm asking for a 'best practices' suggestion here.
> 
> well you have TLS already from K9 to your mail server. Tor does 
> provide encryption from your device through to the tor exit node, 
> which is good enough for most looking to evade local network 
> surveillance or filtering. Adding the SSH tunnel will only assist in 
> thwarting malicious tor exit nodes, which do exist now and then. They
> would have to actively MITM your TLS connection, which k9 should
> notice if they provide a bogus cert.
> 
> If you feel you are at risk for this type of attack, I would perhaps 
> just run your own private Tor exit node on your box, and only allow 
> it access to the sites you want. Then you can configure that in the 
> Orbot preferences. You could also do this via a hidden service.
> 
> Adding SSH to the mix on your device just adds battery draining 
> process.

OK, my main goal is to evade local monitoring, so I do feel comfortable
enough with just Orbot and TLS. And definitely any setup that helps with
battery life.

Thanks!

Cheers,
Rick


--
Rick Valenzuela
photojournalist :: videojournalist
rick at rickv.com :: www.rickv.com