[guardian-dev] Proposal for Secure Connection Notification on Android

Abel Luck abel at guardianproject.info
Thu Nov 15 10:50:31 EST 2012


Nathan of Guardian:
> Would appreciate feedback here, or on the blog post itself. (Hint: there
> are pretty pictures on the post!)
> 
> https://guardianproject.info/2012/11/15/proposal-for-secure-connection-notification-on-android/
> 
> ***
> 
> A major problem of mobile applications being increasingly used over
> web-based applications, is that there is no standard established for
> notifying the user of the state of security on the network connection.
> With a web browser, the evolution of the “lock” icon when an HTTPS
> connection is made, has been one that evolved originally out of
> Netscape’s first implementation, to an adhoc, defact industry-standard
> way of letting the user know if their connection is secure. Beyond just
> a binary on/off, the lock icon is also the entry point into viewing more
> information about the digital security tokens, keys and certificates
> that are powering the connection – who authorized them, who requested
> them, and so on. More recently, with browsers such as Chrome, there has
> been the user of color schemes (Green is good, Red is bad), verified
> domain display and other indicators to help ensure the user knows when
> to trust their connection, and when to be wary.
> 
> 
> Firefox’s HTTPS certificate display
> 
> While many people claim that HTTPS/TLS/SSL are fundamentally broken,
> they are still an essential piece of basic frontline security on the
> web. In addition, when making a connection through a proxy network like
> Tor or a free VPN service, utilizing TLS/SSL is critical in making sure
> you network is not being intercepted along the way. The notification
> icon and related certificate viewing, is a critical component for the
> user, and one that is entirely missing in the mobile application space.
> The Android API does not provide a standardized method to share this
> information with the user, and the implementation on iOS is unclear, as
> well. Even worse, the proper implementation of a strong HTTP/S
> connection that properly handles verification of certificates, and
> provides an interactive option for users to accept or decline is
> entirely missing for the majority of mobile apps.
> 
> With that in mind, we have added a Secure Connection Notification
> feature into our new OnionKit for Android library. Build upon our
> previous work on implementing custom Root CA Certificate stores for
> Android, this library not only provides a clear way to enable HTTP and
> SOCKS proxying for your network requests (to enable use with our app,
> Orbot: Tor for Android), but it also includes a StrongTrustManager and a
> StrongHTTPSClient implementation, that works to defend against
> man-in-the-middle attacks, and other means to intercept a TLS or SSL
> connection between a mobile app and a remote server. Part of the
> defense, is providing a clear indicator to the user when a secure
> connection is in use.
> 
> We have provided a sample Android app to demonstrate how simple it is to
> enable this capability. The screenshots below are from that app.
> 
> In this first screenshot, the app has connected to
> https://check.torproject.org and you can see in the Notification bar a
> “key” icon indicating there is a secure connection active.
> 
> 
> 
> When you drag the notification bar down, you can see a more complete
> view of the Secure Connection Notification (SCN) message, which
> indicates the connection is Active and shows a summary of the secure
> certificate information. In a recent update to the OnionKit SCN code, it
> also allows for the application to include its name and icon in this
> notification.
> 
> 
> 
> Finally, you can tap on the SCN notification and bring up a larger
> pop-over view of the certificate information. We intend to develop this
> view further, to allow for better manual management of trust – meaning
> you may have the option to accept/decline or disable trust of this
> certificate or the certificate authority that provides it.
> 
> 
> 
> Beyond “Active” messages, the notification system will also warn or
> block connections that are deemed risky, invalid or otherwise
> unverifiable. You can use OnionKit in concert with the
> MemorizingTrustManager to manually override this verification process,
> if your application is expected to often connect to servers with
> unverifiable certificates. Finally, using our CACert project, you can
> generate custom Root CA stores for use with OnionKit, that utilize your
> own certificate authorities, or a custom rolled set.
> 
> Our goal is not to overwhelm the user, but instead to provide them a
> simple notification so they can understand which applications have their
> best interests in mind, and which do not. It is amazing how many popular
> mobile apps transmit personal information using HTTP completely in plain
> text, in the clear, allowing any number of parties along the network
> path between the device and server to passively vacuum up this data.
> Users generally are not aware or do not care about this issue. It is up
> to the mobile application developer, to adopt an approach like our
> Secure Connection Notification, or to directly utilize our OnionKit
> library itself.
> 
> Finally, we would like to see Android and other mobile operating
> systems, adopt a system such as this device-wide, such that it becomes
> as standard as the desktop web browser HTTPS lock.
> 
> If you are a developer, please check out OnionKit for Android today, and
> let us know what you think: https://github.com/guardianproject/OnionKit/
> _______________________________________________
> Guardian-dev mailing list
> 
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
> 
> To Unsubscribe
>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/abel%40guardianproject.info
> 
> You are subscribed as: abel at guardianproject.info
> 

First, awesome work :)

So, I'll ask the obvious question: what happens when multiple apps have
active secure connections?

    "Our goal is not to overwhelm the user..."

..could very well happen when every app (which is the goal!) has a
Secure connection notification.

I further posit that this notification will be useless to the majority
of users. Whether or not an app uses a secure connection or not, most
people will continue to use the app anyways.

The problem here is that the default state should be the secure state,
and a warning/notification only displayed if we're not in the secure
state. Of course, we can't go around adding warning notifications to all
insecure HTTP connections in every Android application, so we have to do
the opposite.

     "...so they can understand which applications have their
best interests in mind, and which do not."

But not all apps without the notification would fail that test.
I do think a TLS status notification is useful and important, but in
your proposal is hinder to usability.

What if there was a supplemental app, OnionViewer, that one could
(optionally) install. The app would display all OnionKit connections in
one central location.

Devious idea: With root, OnionView could detect ALL apps' network
connections and display whether they use TLS or not. *evilgrin*

Loving all the Onionkit work. This is freaking bad ass stuff.

~abel



More information about the Guardian-dev mailing list