[guardian-dev] Manage Orbot from external app: Tor admin?

Hans-Christoph Steiner hans at guardianproject.info
Thu Aug 14 21:41:39 EDT 2014



Cedric Jeanneret wrote:
> 
> 
> On 08/14/2014 06:07 PM, Hans-Christoph Steiner wrote:
>>
>>
>> Cédric Jeanneret wrote:
>>> On August 11, 2014 3:41:41 PM CEST, Nathan of Guardian <nathan at guardianproject.info> wrote:
>>>>
>>>>
>>>> On 08/11/2014 03:01 AM, Cédric Jeanneret wrote:
>>>>> Hello,
>>>>>
>>>>> Currently working on orwall[1], a user submitted an interesting
>>>> issue[2].
>>>>>
>>>>> First, I thought "I'll need some lib [netCipher?] to be able to
>>>> manage
>>>>> Tor via some Orbot Intent", but now I'm just realizing there's the
>>>> Tor
>>>>> Admin port we may use as well…
>>>>
>>>> What are the specific settings you want to control in Orbot? At some
>>>> point, it seems like you are taking on more and more of the Orbot apps
>>>> features and functions, and so perhaps you should submit patches to us,
>>>> instead of adding more features into Orwall.
>>>
>>> Aim was to be able to create new transPort or SOCKS or DNSProxies. But this seems to be useless seeing your other answers.
>>>
>>>>
>>>>> ° I didn't see any password regarding Tor Admin Port — is that
>>>> correct?
>>>>> As it's a local port, does it mean any app knowing how to talk "Tor"
>>>> may
>>>>> connect and send commands in order to configure stuff?
>>>>
>>>> Any app may connect, but the control port is protected by a file cookie
>>>> value, that only Orbot has access to read. We could use the password
>>>> option in Orbot instead, but that would require a config change.
>>>
>>> Good news, I was a bit surprised. The commented method generating password is a bit misleading, and I didn't dig further.
>>>
>>>>
>>>>> ° Is it a good idea to send management/configuration commands through
>>>>> this port from an external app?
>>>>
>>>> Not really. Orbot is meant to be the controller, and protect the state
>>>> of the Tor instance.
>>>
>>> Right. Completely OK with that statement. Especially if there's a way to order stuff to orbot.
>>>
>>>>
>>>>> ° more related to the issue itself: is it possible to set up multiple
>>>>> DNSproxy and TransProxy in tor (seems it is the case)? Will the
>>>> circuits
>>>>> be different for each opened port? If not, any reason?
>>>>
>>>> If you are connecting to the SOCKS port, then you can force creation of
>>>> a new circuit for each connection by sending a random user/password
>>>> combo as part of the SOCKs authentication. Orbot can also send a
>>>> "NEWNYM" command to the control port to force the creation of new
>>>> circuits. We could open this up as part of the Intent API that
>>>> netcipher
>>>> users. Creating multiple ports to achieve the same thing isn't the best
>>>> approach.
>>>
>>> Oh?? Great! Meaning I may use netcipher in order to create "bridges" for non-SOCKS-aware app with some random credentials as well? Pretty sure this will be "the" way to go in order to get sort of per-app circuit…
>>>
>>> It would be great if the "NEWNYM" could be part of the intent, as this would also allow other app to get the "torbutton" action "create new identity" (or something lime that).
>>>
>>> Thanks a lot for your answers. Just to know, any ETA for the orbot intent availability? Any dev-branch I may use in order to do some tests on my side so that I can help you (a bit, my level is "beginner") ?
>>>
>>> Cheers,
>>
>>
>> Just wanted to say quickly that it is great that you are making this app!  I
>> think your approach has a lot of promise for thinking about the future of Tor
>> and related stuff on Android.
> 
> Thanks for your support :). That makes me happy, really. Orwall was just
> an idea.
> Now it can be part of something bigger, and that's really great.
> 
>>
>> About Intents that control Tor, that is something that we need to do
>> carefully, since we don't want to open up vulnerabilities.  For example, it is
>> not entirely clear what are the security risks of allowing NEWNYM or even
>> starting tor by Intent.
>>
>> .hc
> 
> Well, Intent may require an authorization (like registration) from the
> external app.
> I explained a bit in the opened issue on orwall what would be "good".
> 
> Fact is, allowing, through the Intent, to add new configuration snippets
> isn't bad, as Orbot will be able to filter good/bad stuff.
> It may be interesting to trigger different warning messages depending on
> the action we're wanting to do:
> 
> ° add a new DNSProxy: not a huge security problem, just ask "do you
> accept … ?"
> 
> ° NEWNYM: if this may create problems (I don't see what, but I'm not a
> "Tor internal guy", just a simple user), another warning type may be
> used, why not with a link to the documentation
> 
> ° … and so on
> 
> OK, this will be complicated. This will take time, a lot of time. But
> doing it this way, carefully, action by action, should prevent most of
> the problems.
> 
> It would require to take, config key by config key, each possible
> action, filter them, ensure syntax is correct, ensure it won't break the
> service, ensure it won't leak data. This latest point will most probably
> be the most difficult. Especially when we want to add a ton of
> configuration in Tor.
> 
> As also said, in my case, orwall needs only 1-2 actions, basically
> add/remove DNSProxy ports, SOCKS ports and TransPorts (SOCKS isn't
> mandatory, as we can "fake" using random authentication, thus playing
> around with netCipher in order to do some smart proxy asking new
> circuits for each app).
> 
> I understand adding a new Intent, allowing external, potentially bad
> apps to play with Tor configuration is a threat. That's the price, I
> guess, in order to get some other possibilities for Orbot usage.
> 
> All will be about communication, explanation of the potentials problems
> if a user allows something and so on. And, well, trust. We (user) will
> need to trust third-party app playing with Orbot, thus Tor. Thus playing
> with our security.
> 
> Orwall has some needs — if they cannot be met, well, I'll find other
> ways, like netCipher proxying, though it won't be as easy, as smart and
> as clean as Orbot Intent ;).

I'm not sure of the exact details here, but I can see a reason why you'd need
to have multiple DNSProxy, SOCKs, etc. ports.


> Just for information: I've a similar request regarding i2p support in
> Tor, and there's currently a client library being developed. It should
> provide the same kind of stuff I'm asking from Orbot. That will make
> orwall a pretty nice app, supporting what I consider the two "main onion
> router systems" :).
> 
> By the way: I'm not a power-android-dev, but if I can help, just let me
> know. I can learn and, who knows, have some ideas ;).
> 
> Cheers,
> 
> C.


It would be great to support as many tools like this as possible, including of
course i2p.

.hc



-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81


More information about the Guardian-dev mailing list