[guardian-dev] Orbot v15 alpha 4

Hans-Christoph Steiner hans at guardianproject.info
Tue Feb 24 05:08:49 EST 2015 

Looks like lots of interesting stuff in there.  I think you also left out that
there is a basic browser included now in Orbot.  I'm wondering what the
security ramifications of that might be.  I don't really know much about the
Android WebView, but I've looked into heartbleed issues quite a bit, and one
related thing that I learned from GnuPG v2.1 and gpgme is that key pieces of
security infrastructure should be well separated from everything else.  In
gpgme, it is a library that wraps the GnuPG command line tools, so that the
app using gpgme does not share the same memory space as the GnuPG command line
tools, which are working directly with the private key material.

So extrapolating from that and thinking about Orbot with embedded WebView, are
there attacks made possible by embedding WebView into the same app as Tor?  Is
there a good way to fully isolate the embedded WebView?  My guess is that
there are attacks made possible by this architecture, and that it would be
difficult to keep the WebView stuff separate from the code that controls Tor.

.hc

Nathan of Guardian:
> 
> More progress on better bridge support and "full device" VPN mode... and
> a bit of a UI update, too!
> 
> APK: https://guardianproject.info/releases/Orbot-v15.0.0-ALPHA-4.apk
> ASC: https://guardianproject.info/releases/Orbot-v15.0.0-ALPHA-4.apk.asc
> 
> On the bridge front, we now support QR code scanning, since the
> https://bridges.torproject.org/ site now displays bridge info as QR
> codes optionally. You can also display your current bridge config as a
> QR code, so that your friends can easily scan/set it up for themselves.
> 
> To use the "Meek" bridge, you just turn on bridges w/o having any config
> (press the new [BRIDGE] button on the main screen), and it will use the
> Meek Azure bridge by default. If you set the config info to 1 you can
> use the Google Cloud bridge, 2 = Azure and 3 = Amazon AWS. If you want
> to learn more about why you would send your Tor traffic through Google,
> Microsoft or Amazon, read here:
> https://trac.torproject.org/projects/tor/wiki/doc/meek
> 
> Finally, the VPN mode is working well, but you can't use bridges with
> VPN mode together yet... still trying to make that work smoothly.
> 
> *****
> 
> * Better Bridge Support
> fb9a6c9 support for sharing/display bridge config as QR code this is
> needed for sharing of bridge data between people in the same phy
> 068cd05 more bridge and proxy configuration clean up
> 31053ad add support for scanning QR codes for bridges
> f22978e update pluto
> bff6d0f add support for meek PT
> 266c297 update to latest pluto for meek-client
> 22e75a3 update pluto to latest
> 431dff5 remove integrated pluto code
> 
> * Full Device VPN Mode
> dd09c6b tuning boot code to work with VPN
> b2ec768 more work to get bridge VPN mode to work
> f2490d9 handle all exceptions in socks proxy
> 9c77526 move HTTP VPN bypass proxy to 9998
> 096eae7 implementing http server for meek-client VPN bypass
> 1e5651e improve VPN clean-up code
> a2662c3 improve VPN activation
> c220ec9 re-enable DNS settings after you start Tor
> 6832363 use IP instead of "localhost" name
> 7f42265 launch the internal or system browser depending upon VPN mode
> 1852cde enable local DNS listen on 10.0.0.1 for VPN service also add
> support for stopping VPNBuilder instance
> ec4350e update VPN to toggle button
> 9467d7d clean VPN proxy settings before startup
> d63d10d massive cleanup of merged code from Ony fork removal/comment out
> of LoggerFactory log system
> a78e458 Merge branch 'ony-dev' into v15-dev
> 5c80572 Merge branch 'master' of https://github.com/SuppSandroB/Ony into
> ony-dev
> 4c49822 clarify vpnprotect code and add basic debug log
> 1464901 added badvpn as local folder
> 72a0173 delete as it should not be as subproject
> 90db557 clone of badvpn for dns fix
> 1472b4e some missing files added to git repo
> 08c220f clean up VPNBuilder setup code
> 91a72ef add in basic debug output
> fb3e27b more clean-up of VPN service code
> 
> * Integrated Orweb simple browser
> 5a8aa88 add new gitmodules for orweb and pluto support
> 40b8f48 set to lib_orweb branch
> 

-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81

More information about the guardian-dev mailing list