[tor-talk] Orweb v2 - now supports Android 2.x and 3.x

Mike Perry mikeperry at fscked.org
Thu Jul 28 16:07:12 UTC 2011


Thus spake Nathan Freitas (nathan at freitas.net):

> I mentioned this at the Tor Dev meeting, and now we have a build out.
> The big news is that you can use this on any Android device without
> root. Just install Orbot, connect to Tor, then install this, and you are
> ready to browse like an onion.
> 
> The main issue we are concerned about tracking down is DNS leaks with
> how we are proxying. We have to use HTTP/S proxy support for now, but it
> does seem to be resolving names via Tor, since .onion addresses do work.
> >From here, I'll be talking more with mikeperry about all of the possible
> things we can do to further lockdown webkit, which is the basis for rweb.

Yeah, as a heads up to the community, the first tests that we need done
is to verify that intermediate cert download, HTTPS OCSP, DNS
prefetch, and FTP are all being properly proxied. There are known
issues with the Chrome proxy implementation that cause these items to
bypass proxy settings. It stands to reason that there is a risk for
similar leaks on the Android browser. 

Some manual and/or stress testing over a wifi link + wireshark should
be sufficient here (though finding a page that sources ftp:// urls may
be tricky. You probably will need to create that yourself).


-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110728/d5b1736b/attachment.pgp>


More information about the tor-talk mailing list