[tor-dev] Using Tor as a library

Nathan Freitas nathan at freitas.net
Thu Mar 28 12:29:11 UTC 2013



Christopher Schmidt <christopher at ch.ristopher.com> wrote:

>"Fabio Pietrosanti (naif)"
><lists-BEJ3GKOyH/EwUp2xcto6ig at public.gmane.org> writes:
>> That's the future of Tor, to be integrated as a library just like an
>> encryption library into application.
>
>No, it's not.  Embedding a Tor client in another application cripples
>auditability, configurability, updateability etc. of Tor.  So does
>embedding a controller.  Even worse, an application trying to outsmart
>the user by controlling Tor on its own poses a severe security risk.
>
>Other than an encryption library, there is no well-defined output to an
>input that a Tor library should produce.
>
>Tor is a vivid, organic ecosystem of different, replaceable projects
>that integrate into each other.  Embedding a static subset of these in
>an application is wrong.
>

On Android, we have developed a library that allows a 3rd party developer's app to check if Orbot (and by extension Tor) is installed and running, and if either is false provides methods to prompt the user to resolve both false states. We also provide simple code for properly proxying app data through SOCKS.

Perhaps a similar approach could be taken for desktop and server apps that want to integrate with Tor?



More information about the tor-dev mailing list