[guardian-dev] Manage Orbot from external app: Tor admin?

Cédric Jeanneret guardian at ethack.org
Mon Aug 11 11:45:27 EDT 2014


On August 11, 2014 3:41:41 PM CEST, Nathan of Guardian <nathan at guardianproject.info> wrote:
>
>
>On 08/11/2014 03:01 AM, Cédric Jeanneret wrote:
>> Hello,
>> 
>> Currently working on orwall[1], a user submitted an interesting
>issue[2].
>> 
>> First, I thought "I'll need some lib [netCipher?] to be able to
>manage
>> Tor via some Orbot Intent", but now I'm just realizing there's the
>Tor
>> Admin port we may use as well…
>
>What are the specific settings you want to control in Orbot? At some
>point, it seems like you are taking on more and more of the Orbot apps
>features and functions, and so perhaps you should submit patches to us,
>instead of adding more features into Orwall.

Aim was to be able to create new transPort or SOCKS or DNSProxies. But this seems to be useless seeing your other answers.

>
>> ° I didn't see any password regarding Tor Admin Port — is that
>correct?
>> As it's a local port, does it mean any app knowing how to talk "Tor"
>may
>> connect and send commands in order to configure stuff?
>
>Any app may connect, but the control port is protected by a file cookie
>value, that only Orbot has access to read. We could use the password
>option in Orbot instead, but that would require a config change.

Good news, I was a bit surprised. The commented method generating password is a bit misleading, and I didn't dig further.

>
>> ° Is it a good idea to send management/configuration commands through
>> this port from an external app?
>
>Not really. Orbot is meant to be the controller, and protect the state
>of the Tor instance.

Right. Completely OK with that statement. Especially if there's a way to order stuff to orbot.

>
>> ° more related to the issue itself: is it possible to set up multiple
>> DNSproxy and TransProxy in tor (seems it is the case)? Will the
>circuits
>> be different for each opened port? If not, any reason?
>
>If you are connecting to the SOCKS port, then you can force creation of
>a new circuit for each connection by sending a random user/password
>combo as part of the SOCKs authentication. Orbot can also send a
>"NEWNYM" command to the control port to force the creation of new
>circuits. We could open this up as part of the Intent API that
>netcipher
>users. Creating multiple ports to achieve the same thing isn't the best
>approach.

Oh?? Great! Meaning I may use netcipher in order to create "bridges" for non-SOCKS-aware app with some random credentials as well? Pretty sure this will be "the" way to go in order to get sort of per-app circuit…

It would be great if the "NEWNYM" could be part of the intent, as this would also allow other app to get the "torbutton" action "create new identity" (or something lime that).

Thanks a lot for your answers. Just to know, any ETA for the orbot intent availability? Any dev-branch I may use in order to do some tests on my side so that I can help you (a bit, my level is "beginner") ?

Cheers,

C.

>
>> ° Regarding Admin password: if no password is set, it may be a
>security
>> issue. If there's a password, is it hard-coded somewhere? If so, it
>> would be better to allow the user to set it in Orbot settings I
>think.
>> This would allow him to set it in orwall in case he wants the app to
>> manage some dedicated streams.
>
>It is not hardcoded, it uses the file cookie option:
>
>Please review the control port protocol spec here:
>https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=control-spec.txt
>
>and the CookieAuthentication info in the TORRC manual:
>https://www.torproject.org/docs/tor-manual.html.en
>
>> 
>> Thanks in advance for your valuable feedback/ideas/remarks/answers!
>> 
>> Cheers,
>> 
>> C.
>> 
>> 
>> [1] https://github.com/EthACKdotOrg/orWall
>> [2] https://github.com/EthACKdotOrg/orWall/issues/20
>> _______________________________________________
>> Guardian-dev mailing list
>> 
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> 
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit:
>https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
>> 
>> You are subscribed as: nathan at guardianproject.info
>> 
>_______________________________________________
>Guardian-dev mailing list
>
>Post: Guardian-dev at lists.mayfirst.org
>List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
>To Unsubscribe
>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>Or visit:
>https://lists.mayfirst.org/mailman/options/guardian-dev/guardian%40ethack.org
>
>You are subscribed as: guardian at ethack.org




More information about the Guardian-dev mailing list