Christopher Schmidt christopher@ch.ristopher.com wrote:
"Fabio Pietrosanti (naif)" lists-BEJ3GKOyH/EwUp2xcto6ig@public.gmane.org writes:
That's the future of Tor, to be integrated as a library just like an encryption library into application.
No, it's not. Embedding a Tor client in another application cripples auditability, configurability, updateability etc. of Tor. So does embedding a controller. Even worse, an application trying to outsmart the user by controlling Tor on its own poses a severe security risk.
Other than an encryption library, there is no well-defined output to an input that a Tor library should produce.
Tor is a vivid, organic ecosystem of different, replaceable projects that integrate into each other. Embedding a static subset of these in an application is wrong.
On Android, we have developed a library that allows a 3rd party developer's app to check if Orbot (and by extension Tor) is installed and running, and if either is false provides methods to prompt the user to resolve both false states. We also provide simple code for properly proxying app data through SOCKS.
Perhaps a similar approach could be taken for desktop and server apps that want to integrate with Tor?