[guardian-dev] Proposal for Secure Connection Notification on Android

Abel Luck abel at guardianproject.info
Thu Nov 15 12:04:21 EST 2012


Nathan of Guardian:
> On 11/15/2012 09:20 PM, Abel Luck wrote:
>>     "Our goal is not to overwhelm the user..."
>> ..could very well happen when every app (which is the goal!) has a
>> Secure connection notification.
> 
> Yes. I think we have to figure out the best default here. The idea of
> only notifying on error/fail does make sense here. However, the way
> Android handles notifications is fairly subtle, and not generally
> overwhelming. Imagine one key icon in the notification area, that could
> bring up every active secure connection info. As new ones are initiated,
> perhaps the key would just have a subtle glow or animation. We aren't
> talking Windows Vista style popups here...
> 

This would only consolidate notifications within the same app, right?
AFAIK you can't combine notifications across apps.

>> I further posit that this notification will be useless to the majority
>> of users. Whether or not an app uses a secure connection or not, most
>> people will continue to use the app anyways.
> 
> Well, that is a larger discussion that I think is beyond the scope of
> what we are doing here. I can say though, that within the activist
> groups I work with and train, there is a growing awareness and attention
> paid to HTTPS in the browser. In addition, there was a successful
> Twitter campaign that lobbied WhatsApp to switch to HTTPS always, by a
> lot of normal people. We can't give up on the normal humanoids... not yet!
> 

Agreed :) I think my point still stands, but education is a must and
access to this information is also a must. This proposal is definitely a
huge step in the right direction.

I'm more concerned about an explosion of notifications..


>>      "...so they can understand which applications have their
>> best interests in mind, and which do not."
>> But not all apps without the notification would fail that test.
>> I do think a TLS status notification is useful and important, but in
>> your proposal is hinder to usability.
> 
> I see the adoption of OnionKit or our style of secure notifier is a
> tangible way of an app telling the user they care about their network
> security, and will provide them a way to verify that through an TLS/SSL
> certificate. This is the current baseline assessment again that we use
> about which apps are "safe" or not for mass use by activists in high
> surveillance countries... 1) are the servers in the country? and 2) if
> NO to #1, do they offer strong HTTPS?. If both are true, then the
> service has passed the first sniff test.
> 
>> What if there was a supplemental app, OnionViewer, that one could
>> (optionally) install. The app would display all OnionKit connections in
>> one central location.
>> Devious idea: With root, OnionView could detect ALL apps' network
>> connections and display whether they use TLS or not. *evilgrin*
> 
> Actually, you don't need root at all for this. You can run "netstat" and
> see a list of what sockets are open to remote IPs with port 80, etc,
> then reverse engineer that list to find the local app via the local port
> id/file descriptor, and/or use the remote IP via DNS or whois lookup to
> tell the user "There is an insecure connection being made to WeChat's
> servers in Shanghai RIGHT NOW!".

Interesting! So, do you think the idea is viable / useful? Even if it
doesn't do the netstat stuff, and only consolidates OnionKit
connections.. that should be easy to implement with content providers, no?

> 
> 
>> Loving all the Onionkit work. This is freaking bad ass stuff.
> 
> Thanks for the feedback! Now go build an app with it.
> 
Hmm.. or submit patches to existing apps..

~abel



More information about the Guardian-dev mailing list