[guardian-dev] Manage Orbot from external app: Tor admin?

Cedric Jeanneret guardian at ethack.org
Thu Aug 14 14:26:07 EDT 2014

On 08/14/2014 06:07 PM, Hans-Christoph Steiner wrote:
> Cédric Jeanneret wrote:
>> On August 11, 2014 3:41:41 PM CEST, Nathan of Guardian <nathan at guardianproject.info> wrote:
>>> On 08/11/2014 03:01 AM, Cédric Jeanneret wrote:
>>>> Hello,
>>>> Currently working on orwall[1], a user submitted an interesting
>>> issue[2].
>>>> First, I thought "I'll need some lib [netCipher?] to be able to
>>> manage
>>>> Tor via some Orbot Intent", but now I'm just realizing there's the
>>> Tor
>>>> Admin port we may use as well…
>>> What are the specific settings you want to control in Orbot? At some
>>> point, it seems like you are taking on more and more of the Orbot apps
>>> features and functions, and so perhaps you should submit patches to us,
>>> instead of adding more features into Orwall.
>> Aim was to be able to create new transPort or SOCKS or DNSProxies. But this seems to be useless seeing your other answers.
>>>> ° I didn't see any password regarding Tor Admin Port — is that
>>> correct?
>>>> As it's a local port, does it mean any app knowing how to talk "Tor"
>>> may
>>>> connect and send commands in order to configure stuff?
>>> Any app may connect, but the control port is protected by a file cookie
>>> value, that only Orbot has access to read. We could use the password
>>> option in Orbot instead, but that would require a config change.
>> Good news, I was a bit surprised. The commented method generating password is a bit misleading, and I didn't dig further.
>>>> ° Is it a good idea to send management/configuration commands through
>>>> this port from an external app?
>>> Not really. Orbot is meant to be the controller, and protect the state
>>> of the Tor instance.
>> Right. Completely OK with that statement. Especially if there's a way to order stuff to orbot.
>>>> ° more related to the issue itself: is it possible to set up multiple
>>>> DNSproxy and TransProxy in tor (seems it is the case)? Will the
>>> circuits
>>>> be different for each opened port? If not, any reason?
>>> If you are connecting to the SOCKS port, then you can force creation of
>>> a new circuit for each connection by sending a random user/password
>>> combo as part of the SOCKs authentication. Orbot can also send a
>>> "NEWNYM" command to the control port to force the creation of new
>>> circuits. We could open this up as part of the Intent API that
>>> netcipher
>>> users. Creating multiple ports to achieve the same thing isn't the best
>>> approach.
>> Oh?? Great! Meaning I may use netcipher in order to create "bridges" for non-SOCKS-aware app with some random credentials as well? Pretty sure this will be "the" way to go in order to get sort of per-app circuit…
>> It would be great if the "NEWNYM" could be part of the intent, as this would also allow other app to get the "torbutton" action "create new identity" (or something lime that).
>> Thanks a lot for your answers. Just to know, any ETA for the orbot intent availability? Any dev-branch I may use in order to do some tests on my side so that I can help you (a bit, my level is "beginner") ?
>> Cheers,
> Just wanted to say quickly that it is great that you are making this app!  I
> think your approach has a lot of promise for thinking about the future of Tor
> and related stuff on Android.

Thanks for your support :). That makes me happy, really. Orwall was just
an idea.
Now it can be part of something bigger, and that's really great.

> About Intents that control Tor, that is something that we need to do
> carefully, since we don't want to open up vulnerabilities.  For example, it is
> not entirely clear what are the security risks of allowing NEWNYM or even
> starting tor by Intent.
> .hc

Well, Intent may require an authorization (like registration) from the
external app.
I explained a bit in the opened issue on orwall what would be "good".

Fact is, allowing, through the Intent, to add new configuration snippets
isn't bad, as Orbot will be able to filter good/bad stuff.
It may be interesting to trigger different warning messages depending on
the action we're wanting to do:

° add a new DNSProxy: not a huge security problem, just ask "do you
accept … ?"

° NEWNYM: if this may create problems (I don't see what, but I'm not a
"Tor internal guy", just a simple user), another warning type may be
used, why not with a link to the documentation

° … and so on

OK, this will be complicated. This will take time, a lot of time. But
doing it this way, carefully, action by action, should prevent most of
the problems.

It would require to take, config key by config key, each possible
action, filter them, ensure syntax is correct, ensure it won't break the
service, ensure it won't leak data. This latest point will most probably
be the most difficult. Especially when we want to add a ton of
configuration in Tor.

As also said, in my case, orwall needs only 1-2 actions, basically
add/remove DNSProxy ports, SOCKS ports and TransPorts (SOCKS isn't
mandatory, as we can "fake" using random authentication, thus playing
around with netCipher in order to do some smart proxy asking new
circuits for each app).

I understand adding a new Intent, allowing external, potentially bad
apps to play with Tor configuration is a threat. That's the price, I
guess, in order to get some other possibilities for Orbot usage.

All will be about communication, explanation of the potentials problems
if a user allows something and so on. And, well, trust. We (user) will
need to trust third-party app playing with Orbot, thus Tor. Thus playing
with our security.

Orwall has some needs — if they cannot be met, well, I'll find other
ways, like netCipher proxying, though it won't be as easy, as smart and
as clean as Orbot Intent ;).

Just for information: I've a similar request regarding i2p support in
Tor, and there's currently a client library being developed. It should
provide the same kind of stuff I'm asking from Orbot. That will make
orwall a pretty nice app, supporting what I consider the two "main onion
router systems" :).

By the way: I'm not a power-android-dev, but if I can help, just let me
know. I can learn and, who knows, have some ideas ;).



>> C.
>>>> ° Regarding Admin password: if no password is set, it may be a
>>> security
>>>> issue. If there's a password, is it hard-coded somewhere? If so, it
>>>> would be better to allow the user to set it in Orbot settings I
>>> think.
>>>> This would allow him to set it in orwall in case he wants the app to
>>>> manage some dedicated streams.
>>> It is not hardcoded, it uses the file cookie option:
>>> Please review the control port protocol spec here:
>>> https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=control-spec.txt
>>> and the CookieAuthentication info in the TORRC manual:
>>> https://www.torproject.org/docs/tor-manual.html.en
>>>> Thanks in advance for your valuable feedback/ideas/remarks/answers!
>>>> Cheers,
>>>> C.
>>>> [1] https://github.com/EthACKdotOrg/orWall
>>>> [2] https://github.com/EthACKdotOrg/orWall/issues/20
>>>> _______________________________________________
>>>> Guardian-dev mailing list
>>>> Post: Guardian-dev at lists.mayfirst.org
>>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>> To Unsubscribe
>>>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>         Or visit:
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info
>>>> You are subscribed as: nathan at guardianproject.info
>>> _______________________________________________
>>> Guardian-dev mailing list
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>> To Unsubscribe
>>>        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>> Or visit:
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/guardian%40ethack.org
>>> You are subscribed as: guardian at ethack.org
>> _______________________________________________
>> Guardian-dev mailing list
>> Post: Guardian-dev at lists.mayfirst.org
>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>> To Unsubscribe
>>         Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
>>         Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>> You are subscribed as: hans at guardianproject.info

More information about the Guardian-dev mailing list