[guardian-dev] NetCipher interface for anonymity configurations
Hans-Christoph Steiner
hans at guardianproject.info
Sun Nov 13 17:02:52 EST 2016
Tom Ritter:
> On 13 November 2016 at 03:22, Hans-Christoph Steiner
> <hans at guardianproject.info> wrote:
>>
>> Tor Browser includes lots of changes beyond just forcing all network
>> traffic over Tor. There are many little details in how apps use the
>> network that can leak identity info that are ameliorated in Tor Browser.
>> I think we should aim to make NetCipher the canonical collection of
>> these config for Android apps.
>>
>> For example:
>>
>> * TLS Session Identifiers/Tickets
>> * detailed info in HTTP User Agent
>> * HTTP ETag
>>
>> The only question for me is how best to expose this stuff to the
>> developer using the NetCipher library. We should make NetCipher include
>> all protections by default, so it does the right thing for anonymity
>> without special setups. Otherwise it is too easy to mess up and leak
>> private info. But since some of these things provide substantial speed
>> improvements, we need to provide a way to disable them.
>>
>> One idea would be to tell devs to use plain networking when going direct
>> and not through Tor. Another would be to have methods to disable
>> specific settings. I'm hoping to open up the discussion to hear other ideas.
>
> When you consider app or device UUIDs, local or public IP addresses,
> user account information, contact lists, photos.... how far are you
> willing to go? How far do you want to go?
>
> -tom
Well, this is an HTTP/TLS library, so really its only about settings
around HTTP and TLS.
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the guardian-dev
mailing list